From 6d39b55723ee08e1709c2b97d357213a8ae8a103 Mon Sep 17 00:00:00 2001 From: William King Date: Sun, 15 Sep 2013 15:57:17 -0700 Subject: [PATCH 1/3] Don't risk the double free, use switch_safe_free here same as in ~15 lines. --- src/mod/applications/mod_httapi/mod_httapi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/mod/applications/mod_httapi/mod_httapi.c b/src/mod/applications/mod_httapi/mod_httapi.c index e5bfac12ae..6ae3001804 100644 --- a/src/mod/applications/mod_httapi/mod_httapi.c +++ b/src/mod/applications/mod_httapi/mod_httapi.c @@ -2343,7 +2343,7 @@ static char *load_cache_data(http_file_context_t *context, const char *url) if ((p = strchr(dext, '?'))) { *p = '\0'; ext = dext; - } else free(dext); + } else switch_safe_free(dext); } context->cache_file_base = switch_core_sprintf(context->pool, "%s%s%s", globals.cache_path, SWITCH_PATH_SEPARATOR, digest); From b03ba503cd2005196f70bdc7adfd1be645f5a019 Mon Sep 17 00:00:00 2001 From: William King Date: Sun, 15 Sep 2013 16:05:11 -0700 Subject: [PATCH 2/3] While sofia does garbage collection, in other locations we still call su_free after calls to sip_header_as_string. So adding it here too since we've finished using the full_contact variable. --- src/mod/endpoints/mod_sofia/sofia.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/mod/endpoints/mod_sofia/sofia.c b/src/mod/endpoints/mod_sofia/sofia.c index 1dab5915a4..9230944a43 100644 --- a/src/mod/endpoints/mod_sofia/sofia.c +++ b/src/mod/endpoints/mod_sofia/sofia.c @@ -8948,6 +8948,10 @@ void sofia_handle_sip_i_invite(switch_core_session_t *session, nua_t *nua, sofia switch_assert(sql); sofia_glue_execute_sql_now(profile, &sql, SWITCH_TRUE); + + if ( full_contact ) { + su_free(nua_handle_home(tech_pvt->nh), full_contact); + } } if (is_nat) { From f7b902b107ee1bc0d1ea59274537f3c45e2dafcc Mon Sep 17 00:00:00 2001 From: William King Date: Sun, 15 Sep 2013 16:19:19 -0700 Subject: [PATCH 3/3] How did the use after free not blowup in the last 3 years since it was modified? --- src/mod/applications/mod_fifo/mod_fifo.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/mod/applications/mod_fifo/mod_fifo.c b/src/mod/applications/mod_fifo/mod_fifo.c index 0e42a18e0e..c50029dae4 100644 --- a/src/mod/applications/mod_fifo/mod_fifo.c +++ b/src/mod/applications/mod_fifo/mod_fifo.c @@ -1637,7 +1637,6 @@ static void *SWITCH_THREAD_FUNC o_thread_run(switch_thread_t *thread, void *obj) fifo_execute_sql_queued(&sql, SWITCH_TRUE, SWITCH_TRUE); status = switch_ivr_originate(NULL, &session, &cause, originate_string, h->timeout, NULL, NULL, NULL, NULL, ovars, SOF_NONE, NULL); - free(originate_string); if (status != SWITCH_STATUS_SUCCESS) { @@ -1694,6 +1693,10 @@ static void *SWITCH_THREAD_FUNC o_thread_run(switch_thread_t *thread, void *obj) end: + if ( originate_string ){ + switch_safe_free(originate_string); + } + switch_event_destroy(&ovars); if (node) { switch_mutex_lock(node->update_mutex);