Module: kamailio Branch: master Commit: d529b511b1ce722ceccf29dc006e92d45f1f340e URL: https://github.com/kamailio/kamailio/commit/d529b511b1ce722ceccf29dc006e92d45f1f340e
Author: ngash <ng...@west.com> Committer: Daniel-Constantin Mierla <mico...@gmail.com> Date: 2025-04-11T13:33:23+02:00 uac: fix memory corruption from shared tp being freed by another transaction - Shared memory corruption resulting in multiple process core dumps. Triggered by an outbound REGISTER receiving 401 for all requests which resulted in the shared tp being released in uac_resend_tm_callback whilst the current transaction was put on timer and also used after release and then re-released. In order to avoid sharing the tp I changed the code in uac_send_tm_callback to clone the existing tp. Also added a sanity check for null as tp could be released prior to a dereference of tp->event --- Modified: src/modules/uac/uac_send.c --- Diff: https://github.com/kamailio/kamailio/commit/d529b511b1ce722ceccf29dc006e92d45f1f340e.diff Patch: https://github.com/kamailio/kamailio/commit/d529b511b1ce722ceccf29dc006e92d45f1f340e.patch --- diff --git a/src/modules/uac/uac_send.c b/src/modules/uac/uac_send.c index dd5de24b16c..f8a77b6a6b4 100644 --- a/src/modules/uac/uac_send.c +++ b/src/modules/uac/uac_send.c @@ -807,7 +807,7 @@ void uac_send_tm_callback(struct cell *t, int type, struct tmcb_params *ps) /* Callback function */ uac_r.cb = uac_resend_tm_callback; /* Callback parameter */ - uac_r.cbp = (void *)tp; + uac_r.cbp = (void *)uac_send_info_clone(tp); } ret = _uac_send_tmb.t_request_within(&uac_r); @@ -816,13 +816,18 @@ void uac_send_tm_callback(struct cell *t, int type, struct tmcb_params *ps) goto error; } if(uac_r.cb_flags & TMCB_LOCAL_REQUEST_DROP) { + if(uac_r.cbp != NULL) + shm_free(uac_r.cbp); + shm_free(tp); *ps->param = NULL; tp = NULL; } - if(tp->evroute != 0) { - return; + if(tp != NULL) { + if(tp->evroute != 0) { + return; + } } done: _______________________________________________ Kamailio - Development Mailing List -- sr-dev@lists.kamailio.org To unsubscribe send an email to sr-dev-le...@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender!
