<p class="MsoNormal"><span style="color:#1f497d">We found a problem regarding </span><span style="color:rgb(31,73,125)">TCP connection alias</span><span style="color:rgb(31,73,125)"> </span><span style="color:rgb(31,73,125)">in the
following code at tcp_main.c:</span></p><p class="MsoNormal"><span style="color:rgb(31,73,125)"><br></span></p>
<p class="MsoNormal"><span style="color:#1f497d"> </span><font color="#1f497d">int tcpconn_finish_connect( struct tcp_connection* c,</font></p><p class="MsoNormal"><font color="#1f497d"><span class="Apple-tab-span" style="white-space:pre"> </span>union sockaddr_union* from)</font></p>
<p class="MsoNormal"><font color="#1f497d">{</font></p><p class="MsoNormal"><font color="#1f497d">:</font></p><p class="MsoNormal"><font color="#1f497d">:</font></p>
<p class="MsoNormal"><span style="color:#1f497d">
/* remove all the aliases except the first one and re-add them</span></p>
<p class="MsoNormal"><span style="color:#1f497d">
* (there shouldn't be more then the 3 default aliases at this </span></p>
<p class="MsoNormal"><span style="color:#1f497d">
</span><span lang="PT-BR" style="color:#1f497d">*
stage) */</span></p>
<p class="MsoNormal"><span lang="PT-BR" style="color:#1f497d">
for (r=1; r<c->aliases; r++){</span></p>
<p class="MsoNormal"><span lang="PT-BR" style="color:#1f497d">
a=&c->con_aliases[r];</span></p>
<p class="MsoNormal"><span lang="PT-BR" style="color:#1f497d">
</span><span style="color:#1f497d">tcpconn_listrm(tcpconn_aliases_hash[a->hash],
a, next, prev);</span></p>
<p class="MsoNormal"><span style="color:#1f497d">
}</span></p>
<p class="MsoNormal"><span style="color:#1f497d">
c->aliases=1;</span></p>
<p class="MsoNormal"><span style="color:#1f497d"> </span></p>
<p class="MsoNormal"><span style="color:#1f497d"> </span></p>
<p class="MsoNormal"><span style="color:#1f497d">As TCP_ALIAS_REPLACE flag is set
for the default TCP options value, in the function _tcpconn_add_alias_unsafe()
a TCP connection alias can be moved from connection A to connection B based on
the TCP alias hash. In this case, the number of aliases is incremented in
the connection A, and decremented from connection B. However, in the connection
B the number of aliases can reach zero (no alias). And the code above can be
executed for connection B setting the number of aliases to 1 unconditionally.
When this case happens, the connection B keeps an invalid alias (already
excluded from connection B by tcpconn_add_alias_unsafe() function called from
connection A). When the connection A is released, the aliases are also
released, and this memory area can be filled with different data. As connection
B has references to an invalid alias it can try to access invalid areas, and
can crash Kamailio. This access happens, for example, when another alias is
added to connection B.</span></p>
<p class="MsoNormal"><span style="color:#1f497d">To fix it we include a check
before the code:</span></p>
<p class="MsoNormal"><span style="color:#1f497d">
</span><span style="color:#00b050">
</span><span lang="PT-BR" style="color:#00b050">if
(c->aliases>0) {</span></p>
<p class="MsoNormal"><span lang="PT-BR" style="color:#1f497d">
for (r=1; r<c->aliases; r++){</span></p>
<p class="MsoNormal"><span lang="PT-BR" style="color:#1f497d">
a=&c->con_aliases[r];</span></p>
<p class="MsoNormal"><span lang="PT-BR" style="color:#1f497d">
</span><span style="color:#1f497d">tcpconn_listrm(tcpconn_aliases_hash[a->hash],
a, next, prev);</span></p>
<p class="MsoNormal"><span style="color:#1f497d">
memset(a,0xbb,sizeof(struct tcp_conn_alias));</span></p>
<p class="MsoNormal"><span style="color:#1f497d">
}</span></p>
<p class="MsoNormal"><span style="color:#1f497d">
c->aliases=1;</span></p>
<p class="MsoNormal"><span style="color:#1f497d">
</span><span style="color:#00b050">}</span></p><p class="MsoNormal"><span style="color:#00b050"><br></span></p><p class="MsoNormal"><span style="color:rgb(31,73,125)">Please let us know if any comments.</span></p><p class="MsoNormal">
<span style="color:rgb(31,73,125)"><br></span></p><p class="MsoNormal"><span style="color:rgb(31,73,125)">Thanks</span></p><p class="MsoNormal"><span style="color:rgb(31,73,125)">Jijo</span></p>