b2b_logic: fix crashes due to dangling tuple pointer

Make sure to not access a tuple that might have been freed while not holding the lock. Many thanks to David Escartin from Sonoc for the help in troubleshooting this issue!
OpenSIPS · Feb 6, 2023 · 1225b01 · 1225b01
1 parent 65a8da4
commit 1225b01
Showing 1 changed file with 26 additions and 6 deletions.
diff --git a/modules/b2b_logic/logic.c b/modules/b2b_logic/logic.c
@@ -1791,6 +1791,7 @@ int b2b_logic_notify_reply(int src, struct sip_msg* msg, str* key, str* body, st
 	b2bl_entity_id_t** entity_head = NULL;
 	int_str avp_val;
 	int locked = 0;
+	int routeid;
 
 	if (parse_headers(msg, HDR_EOH_F, 0) < 0)
 	{
@@ -1874,26 +1875,35 @@ int b2b_logic_notify_reply(int src, struct sip_msg* msg, str* key, str* body, st
 			goto error;
 		}
 
+		routeid = tuple->reply_routeid;
+
 		lock_release(&b2bl_htable[hash_index].lock);
 		locked = 0;
 
 		cur_route_ctx.flags |= B2BL_RT_RPL_CTX;
-		run_top_route(sroutes->request[tuple->reply_routeid], msg);
+		run_top_route(sroutes->request[routeid], msg);
 		cur_route_ctx.flags &= ~B2BL_RT_RPL_CTX;
 
 		pkg_free(cur_route_ctx.entity_key.s);
 	}
 
 done:
 	if (tuple && cur_route_ctx.flags & B2BL_RT_DO_UPDATE) {
-		if (!locked) {
+		if (b2bl_db_mode != NO_DB && !locked) {
 			lock_get(&b2bl_htable[hash_index].lock);
 			locked = 1;
+
+			tuple = b2bl_search_tuple_safe(hash_index, local_index);
+			if(!tuple) {
+				LM_DBG("B2B logic record not found anymore\n");
+				lock_release(&b2bl_htable[hash_index].lock);
+				return 0;
+			}
 		}
 
 		if(b2bl_db_mode == WRITE_THROUGH)
 			b2bl_db_update(tuple);
-		else
+		else if (b2bl_db_mode == WRITE_BACK)
 			UPDATE_DBFLAG(tuple);
 	}
 	if (locked)
@@ -2025,6 +2035,7 @@ int b2b_logic_notify_request(int src, struct sip_msg* msg, str* key, str* body,
 	b2bl_dlg_stat_t stats;
 	b2b_rpl_data_t rpl_data;
 	int locked = 0;
+	int routeid;
 
 	lock_get(&b2bl_htable[hash_index].lock);
 	locked = 1;
@@ -2338,11 +2349,13 @@ int b2b_logic_notify_request(int src, struct sip_msg* msg, str* key, str* body,
 			}
 		}
 
+		routeid = tuple->req_routeid;
+
 		lock_release(&b2bl_htable[hash_index].lock);
 		locked = 0;
 
 		cur_route_ctx.flags = B2BL_RT_REQ_CTX;
-		run_top_route(sroutes->request[tuple->req_routeid], msg);
+		run_top_route(sroutes->request[routeid], msg);
 		cur_route_ctx.flags &= ~B2BL_RT_REQ_CTX;
 
 		pkg_free(cur_route_ctx.entity_key.s);
@@ -2359,13 +2372,20 @@ int b2b_logic_notify_request(int src, struct sip_msg* msg, str* key, str* body,
 done:
 	if(tuple && cur_route_ctx.flags & B2BL_RT_DO_UPDATE)
 	{
-		if (!locked) {
+		if (b2bl_db_mode != NO_DB && !locked) {
 			lock_get(&b2bl_htable[hash_index].lock);
 			locked = 1;
+
+			tuple = b2bl_search_tuple_safe(hash_index, local_index);
+			if(!tuple) {
+				LM_DBG("B2B logic record not found anymore\n");
+				lock_release(&b2bl_htable[hash_index].lock);
+				return 0;
+			}
 		}
 		if(b2bl_db_mode == WRITE_THROUGH)
 			b2bl_db_update(tuple);
-		else
+		else if (b2bl_db_mode == WRITE_BACK)
 			UPDATE_DBFLAG(tuple);
 	}
 	if (locked)