Browse code

rtpengine: fixed segfault when using read_sdp_pv

- Obtain body pointer fresh from the SIP message as when using read_sdp_pv
the body pointer is overwritten

Phil Lavin authored on 23/11/2017 10:22:42
Showing 1 changed files
... ...
@@ -3328,6 +3328,7 @@ rtpengine_offer_answer(struct sip_msg *msg, const char *flags, int op, int more)
3328 3328
 	str body, newbody;
3329 3329
 	struct lump *anchor;
3330 3330
 	pv_value_t pv_val;
3331
+	str cur_body = {0, 0};
3331 3332
 
3332 3333
 	dict = rtpp_function_call_ok(&bencbuf, msg, op, flags, &body);
3333 3334
 	if (!dict)
... ...
@@ -3357,7 +3358,12 @@ rtpengine_offer_answer(struct sip_msg *msg, const char *flags, int op, int more)
3357 3358
 			pkg_free(newbody.s);
3358 3359
 
3359 3360
 		} else {
3360
-			anchor = del_lump(msg, body.s - msg->buf, body.len, 0);
3361
+			/* get the body from the message as body ptr may have changed */
3362
+			cur_body.len = 0;
3363
+			cur_body.s = get_body(msg);
3364
+			cur_body.len = msg->buf + msg->len - cur_body.s;
3365
+
3366
+			anchor = del_lump(msg, cur_body.s - msg->buf, cur_body.len, 0);
3361 3367
 			if (!anchor) {
3362 3368
 				LM_ERR("del_lump failed\n");
3363 3369
 				goto error_free;