On Oct 01, 2012 at 14:19, Jijo <realj...@gmail.com> wrote:
> We found a problem regarding TCP connection alias in the following code at
> tcp_main.c:
>
>
[...]
>
> As TCP_ALIAS_REPLACE flag is set for the default TCP options value, in the
> function _tcpconn_add_alias_unsafe() a TCP connection alias can be moved
> from connection A to connection B based on the TCP alias hash. In this
> case, the number of aliases is incremented in the connection A, and
> decremented from connection B. However, in the connection B the number of
> aliases can reach zero (no alias). And the code above can be executed for
> connection B setting the number of aliases to 1 unconditionally. When this
> case happens, the connection B keeps an invalid alias (already excluded
> from connection B by tcpconn_add_alias_unsafe() function called from
> connection A). When the connection A is released, the aliases are also
> released, and this memory area can be filled with different data. As
> connection B has references to an invalid alias it can try to access
> invalid areas, and can crash Kamailio. This access happens, for example,
> when another alias is added to connection B.
>
> To fix it we include a check before the code:
>
> if (c->aliases>0) {
Thanks a lot, I've commited the fix.
The only difference is that I changed if (c->aliases>0) into if
(c->aliases > 1).
Andrei
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
