Change in osmo-sip-connector[master]: fix use-after-free in SIP re-INVITE

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.

neels gerrit-no-reply at lists.osmocom.org
Tue Jun 1 01:36:13 UTC 2021 

neels has uploaded this change for review. ( https://gerrit.osmocom.org/c/osmo-sip-connector/+/24474 )


Change subject: fix use-after-free in SIP re-INVITE
......................................................................

fix use-after-free in SIP re-INVITE

Copy the m_mode before freeing the parser.
Address sanitizer aborted with:

20210601033017695 DSIP INFO re-INVITE for call 854A5CDA8037073 (sip.c:192)
=================================================================
==8583==ERROR: AddressSanitizer: heap-use-after-free on address 0x612000003250 at pc 0x55c3b4624dc5 bp 0x7ffe8a4464d0 sp 0x7ffe8a4464c8
READ of size 8 at 0x612000003250 thread T0
    #0 0x55c3b4624dc4 in sdp_get_sdp_mode ../../../src/osmo-sip-connector/src/sdp.c:72
    #1 0x55c3b462be9e in sip_handle_reinvite ../../../src/osmo-sip-connector/src/sip.c:202
    #2 0x55c3b462d676 in nua_callback ../../../src/osmo-sip-connector/src/sip.c:397
[...]

Change-Id: I4c48832f01e61e98536de8f164ab5a3caa64f34a
---
M src/sdp.c
1 file changed, 1 insertion(+), 1 deletion(-)



  git pull ssh://gerrit.osmocom.org:29418/osmo-sip-connector refs/changes/74/24474/1

diff --git a/src/sdp.c b/src/sdp.c
index f1909d4..7bfcff5 100644
--- a/src/sdp.c
+++ b/src/sdp.c
@@ -68,8 +68,8 @@
 		return sdp_sendrecv;
 	}
 
-	sdp_parser_free(parser);
 	*mode = sdp->sdp_media->m_mode;
+	sdp_parser_free(parser);
 	return true;
 }
 

-- 
To view, visit https://gerrit.osmocom.org/c/osmo-sip-connector/+/24474
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings

Gerrit-Project: osmo-sip-connector
Gerrit-Branch: master
Gerrit-Change-Id: I4c48832f01e61e98536de8f164ab5a3caa64f34a
Gerrit-Change-Number: 24474
Gerrit-PatchSet: 1
Gerrit-Owner: neels <nhofmeyr at sysmocom.de>
Gerrit-MessageType: newchange
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20210601/092478ae/attachment.htm>

More information about the gerrit-log mailing list