Skip to content

Commit

Permalink
dispatcher: Fix rare crash with 'pvar_algo_pattern'
Browse files Browse the repository at this point in the history
This patch simply moves the name buffer for the 'pvar_algo_pattern' into
SHM rather than a stack buffer, in order to avoid invalid memory being
referenced past the function's return point.

Many thanks to Eric Tamme from Five9 for reporting & testing!
  • Loading branch information
liviuchircu committed Jan 10, 2025
1 parent 355d706 commit fe1a50d
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 7 deletions.
15 changes: 8 additions & 7 deletions modules/dispatcher/dispatch.c
Original file line number Diff line number Diff line change
Expand Up @@ -570,9 +570,16 @@ ds_pvar_param_p ds_get_pvar_param(int id, str uri)
int len = ds_pattern_prefix.len + ds_pattern_infix.len + ds_pattern_suffix.len
+ uri.len + str_id.len;

char buf[len]; /* XXX: check if this works for all compilers */
char *buf;
ds_pvar_param_p param;

param = shm_malloc(sizeof *param + len);
if (!param) {
LM_ERR("no more shm memory\n");
return NULL;
}
buf = param->buf;

if (ds_pattern_one>DS_PATTERN_NONE) {
name.len = 0;
name.s = buf;
Expand All @@ -598,12 +605,6 @@ ds_pvar_param_p ds_get_pvar_param(int id, str uri)
name.len += ds_pattern_suffix.len;
}

param = shm_malloc(sizeof(ds_pvar_param_t));
if (!param) {
LM_ERR("no more shm memory\n");
return NULL;
}

if (!pv_parse_spec(ds_pattern_one>DS_PATTERN_NONE ? &name : &ds_pattern_prefix,
&param->pvar)) {
LM_ERR("cannot parse pattern spec\n");
Expand Down
1 change: 1 addition & 0 deletions modules/dispatcher/dispatch.h
Original file line number Diff line number Diff line change
Expand Up @@ -107,6 +107,7 @@ typedef struct _ds_pvar_param
{
pv_spec_t pvar;
int value;
char buf[0];
} ds_pvar_param_t, *ds_pvar_param_p;


Expand Down

0 comments on commit fe1a50d

Please sign in to comment.