[sr-dev] [kamailio] siputils: tel2sip(): fix 'off by one' when allocating memory (#534)
Dragos Oancea
notifications at github.com
Mon Mar 7 15:21:48 CET 2016
While building the sip uri in tel2sip() we have:
sip_uri.s = pkg_malloc(sip_uri.len)
But later in pv_set_ruri():
val->rs.s[val->rs.len] = '\0';
It's overwriting the q_malloc control structures (a classic type of bug already).
Kamailio will log a line like this before crashing:
Mar 3 13:31:15 XXXXXXXX /opt/ims/sbin/kamailio[15030]: : <core> [mem/q_malloc.c:140]: qm_debug_frag(): BUG: qm_*: prev. fragm. tail overwritten(c0c0c000, abcdefed)[0x7feaf22bd558:0x7feaf22bd588]!
I get this crash with long "tel:" ruris, the ones that have a ";phone-context=" param .
This patch fixes it.
You can view, comment on, or merge this pull request online at:
https://github.com/kamailio/kamailio/pull/534
-- Commit Summary --
* siputils: tel2sip(): fix 'off by one' when allocating memory
-- File Changes --
M modules/siputils/checks.c (2)
-- Patch Links --
https://github.com/kamailio/kamailio/pull/534.patch
https://github.com/kamailio/kamailio/pull/534.diff
---
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/pull/534
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-dev/attachments/20160307/b15fb13a/attachment-0001.html>
More information about the sr-dev
mailing list