Browse code

tm: function to clean local parsed headers and body for uas request

- some modules use t->uas.request for getting attributes of the
transaction request when processing the response, which may result in
pointers to private memory being stored in the shared memory, causing
crashes when other processes try to use the pointers

(cherry picked from commit 159224b254d9a67104c60fedab46a1b78cf19a83)

Daniel-Constantin Mierla authored on 04/05/2022 06:56:14
Showing 4 changed files
... ...
@@ -1776,3 +1776,37 @@ error:
1776 1776
 	return NULL;
1777 1777
 }
1778 1778
 
1779
+/**
1780
+ *
1781
+ */
1782
+void t_uas_request_clean_parsed(tm_cell_t *t)
1783
+{
1784
+	struct hdr_field *hdr;
1785
+	void *mstart;
1786
+	void *mend;
1787
+
1788
+	if (!t || !t->uas.request) {
1789
+		return;
1790
+	}
1791
+
1792
+	mstart = t->uas.request;
1793
+	mend = t->uas.end_request;
1794
+
1795
+	/* free header's parsed structures that were added by failure handlers */
1796
+	for (hdr=t->uas.request->headers; hdr; hdr=hdr->next ) {
1797
+		if (hdr->parsed && hdr_allocs_parse(hdr)
1798
+				&& (hdr->parsed<mstart || hdr->parsed>=mend)) {
1799
+			/* header parsed filed doesn't point inside fake memory
1800
+			 * chunck -> it was added by failure funcs.-> free it as pkg */
1801
+			LM_DBG("removing hdr->parsed %d\n",	hdr->type);
1802
+			clean_hdr_field(hdr);
1803
+			hdr->parsed = 0;
1804
+		}
1805
+	}
1806
+	/* free parsed body added by failure handlers */
1807
+	if (t->uas.request->body) {
1808
+		if(t->uas.request->body->free)
1809
+			t->uas.request->body->free(&t->uas.request->body);
1810
+		t->uas.request->body = 0;
1811
+	}
1812
+}
... ...
@@ -28,7 +28,6 @@
28 28
 #include "h_table.h"
29 29
 #include "t_reply.h"
30 30
 
31
-
32 31
 #define CSEQ "CSeq: "
33 32
 #define CSEQ_LEN (sizeof(CSEQ)-1)
34 33
 #define TO "To: "
... ...
@@ -45,7 +44,6 @@
45 44
 #define MAXFWD_HEADER "Max-Forwards: " MAXFWD_VALUE CRLF
46 45
 #define MAXFWD_HEADER_LEN (sizeof(MAXFWD_HEADER) - 1)
47 46
 
48
-
49 47
 char *build_local(struct cell *Trans, unsigned int branch,
50 48
 	unsigned int *len, char *method, int method_len, str *to
51 49
 	, struct cancel_reason* reason
... ...
@@ -92,4 +90,7 @@ int t_calc_branch(struct cell *t,
92 90
 char* print_callid_mini(char* target, str callid);
93 91
 char* print_cseq_mini(char* target, str* cseq, str* method);
94 92
 
93
+typedef void (*t_uas_request_clean_parsed_f)(tm_cell_t *t);
94
+void t_uas_request_clean_parsed(tm_cell_t *t);
95
+
95 96
 #endif
... ...
@@ -138,6 +138,7 @@ int load_tm( struct tm_binds *tmb)
138 138
 	tmb->t_next_contacts = t_next_contacts;
139 139
 	tmb->set_fr = t_set_fr;
140 140
 	tmb->t_release_transaction = t_release_transaction;
141
+	tmb->t_uas_request_clean_parsed = t_uas_request_clean_parsed;
141 142
 	return 1;
142 143
 }
143 144
 
... ...
@@ -38,6 +38,7 @@
38 38
 #include "t_append_branches.h"
39 39
 #include "t_stats.h"
40 40
 #include "t_serial.h"
41
+#include "t_msgbuilder.h"
41 42
 
42 43
 /* export not usable from scripts */
43 44
 #define NO_SCRIPT	-1
... ...
@@ -121,6 +122,7 @@ struct tm_binds {
121 122
 	cmd_function	t_next_contacts;
122 123
 	tset_fr_f set_fr;
123 124
 	trelease_t      t_release_transaction;
125
+	t_uas_request_clean_parsed_f t_uas_request_clean_parsed;
124 126
 };
125 127
 
126 128
 typedef struct tm_binds tm_api_t;