registrar: Fix possible crash in remove_ip_port()

The release_urecord() function may actually delete the AoR on the spot, including the map_t node which the iterator is currently at! This was causing an invalid SHM memory read when calling iterator_next(), potentially running into a crash. The fix is to advance the iterator ahead of time, before the release_urecord() call. Fixes #2954
OpenSIPS · Feb 7, 2023 · a117dc8 · a117dc8
1 parent cea7b88
commit a117dc8
Showing 1 changed file with 6 additions and 5 deletions.
diff --git a/modules/registrar/save.c b/modules/registrar/save.c
@@ -1121,16 +1121,17 @@ int _remove_ip_port(struct sip_msg *msg, str *ip, int *port, void *udomain, str*
 	/* no AOR help, go through ALL registered AORs :( */
 	for(i=0; i<dom->size; i++) {
 		ul.lock_ulslot( dom, i);
-		for ( map_first( dom->table[i].records, &it);
-			iterator_is_valid(&it);
-			iterator_next(&it) ) {
 
+		map_first(dom->table[i].records, &it);
+		while (iterator_is_valid(&it)) {
 			dest = iterator_val(&it);
-			if( dest == NULL ) {
+			if (!dest) {
 				LM_ERR("Failed to get urecord\n");
 				goto error_unlock;
 			}
-			record =( urecord_t * ) *dest;
+
+			record = (urecord_t *)*dest;
+			iterator_next(&it);
 
 			if (_remove_ip_port_urecord(record,ip,port) != 0) {
 				LM_ERR("Failed to remove contacts \n");