tm + subscribers: Fix possible SHM leaks around tmb.t_req_within

The severity is medium, however, as these leaks would only occur once the SHM pool is near depletion. (cherry picked from commit 80bd901)
OpenSIPS · Feb 19, 2020 · a8370f8 · a8370f8
1 parent ffb0577
commit a8370f8
Show file tree

Hide file tree

Showing 5 changed files with 28 additions and 21 deletions.
diff --git a/modules/dispatcher/dispatch.c b/modules/dispatcher/dispatch.c
@@ -2294,11 +2294,6 @@ static void ds_options_callback( struct cell *t, int type,
 	return;
 }
 
-void shm_free_cb_param(void *param)
-{
-	shm_free(param);
-}
-
 /*
  * Timer for checking inactive destinations
  *
@@ -2368,8 +2363,9 @@ void ds_check_timer(unsigned int ticks, void* param)
 							dlg,
 							ds_options_callback,
 							(void*)cb_param,
-							shm_free_cb_param) < 0) {
+							osips_shm_free) < 0) {
 						LM_ERR("unable to execute dialog\n");
+						shm_free(cb_param);
 					}
 					tmb.free_dlg(dlg);
 				}

diff --git a/modules/drouting/drouting.c b/modules/drouting/drouting.c
@@ -724,10 +724,6 @@ static void dr_probing_callback( struct cell *t, int type,
 }
 
 
-static void param_prob_callback_free(void *param) {
-	shm_free(param);
-}
-
 static void dr_prob_handler(unsigned int ticks, void* param)
 {
 	static char buff[1000] = {"sip:"};
@@ -795,12 +791,14 @@ static void dr_prob_handler(unsigned int ticks, void* param)
 			params->current_partition = it;
 
 			if (dr_tmb.t_request_within(&dr_probe_method, NULL, NULL, dlg,
-			dr_probing_callback, (void*)params, param_prob_callback_free)<0) {
+			dr_probing_callback, (void*)params, osips_shm_free)<0) {
 				LM_ERR("unable to execute dialog, disabling destination...\n");
 				if ( (dst->flags&DR_DST_STAT_DSBL_FLAG)==0 ) {
 					dst->flags |= DR_DST_STAT_DSBL_FLAG|DR_DST_STAT_DIRT_FLAG;
 					dr_gw_status_changed( it, dst);
 				}
+
+				shm_free(params);
 			}
 			dr_tmb.free_dlg(dlg);
 

diff --git a/modules/tm/tm_load.h b/modules/tm/tm_load.h
@@ -58,7 +58,13 @@ struct tm_binds {
 	tlookup_ident_f  t_lookup_ident;
 	taddblind_f      t_addblind;
 	treply_f         t_reply_unsafe;
+
+	/*
+	 * @return: 1 (success) or an error.h code otherwise.  On error, make sure
+	 * to free your parameter manually, as @release_func will be skipped!
+	 */
 	reqwith_t        t_request_within;
+
 	reqout_t         t_request_outside;
 	req_t            t_request;
 	new_dlg_uac_f      new_dlg_uac;

diff --git a/modules/tm/uac.c b/modules/tm/uac.c
@@ -498,7 +498,7 @@ int t_uac(str* method, str* headers, str* body, dlg_t* dialog,
 	 * - needed by external ua to send a request within a dlg
 	 */
 	if(!dialog->hooks.next_hop && w_calculate_hooks(dialog)<0)
-		goto error3;
+		goto error_out;
 
 	if(dialog->obp.s)
 		dialog->hooks.next_hop = &dialog->obp;
@@ -511,7 +511,7 @@ int t_uac(str* method, str* headers, str* body, dlg_t* dialog,
 		dialog->send_sock ? dialog->send_sock->proto : PROTO_NONE );
 	if (proxy==0)  {
 		ret=E_BAD_ADDRESS;
-		goto error3;
+		goto error_out;
 	}
 	/* use the first address */
 	hostent2su( &to_su,
@@ -530,7 +530,7 @@ int t_uac(str* method, str* headers, str* body, dlg_t* dialog,
 		if (!dialog->send_sock) {
 			LM_ERR("no corresponding socket for af %d\n", to_su.s.sa_family);
 			ser_error = E_NO_SOCKET;
-			goto error2;
+			goto error3;
 		}
 	}
 	LM_DBG("sending socket is %.*s \n",
@@ -541,7 +541,7 @@ int t_uac(str* method, str* headers, str* body, dlg_t* dialog,
 	if (!new_cell) {
 		ret=E_OUT_OF_MEM;
 		LM_ERR("short of cell shmem\n");
-		goto error2;
+		goto error3;
 	}
 
 	/* if we have a dialog ctx, link it to the newly created transaction
@@ -658,11 +658,12 @@ int t_uac(str* method, str* headers, str* body, dlg_t* dialog,
 	LOCK_HASH(hi);
 	remove_from_hash_table_unsafe(new_cell);
 	UNLOCK_HASH(hi);
-	free_cell(new_cell);
 error2:
+	free_cell(new_cell);
+error3:
 	free_proxy( proxy );
 	pkg_free( proxy );
-error3:
+error_out:
 	return ret;
 }
 

diff --git a/modules/uac_registrant/registrant.c b/modules/uac_registrant/registrant.c
@@ -296,8 +296,6 @@ static int child_init(int rank)
 }
 
 
-void shm_free_param(void* param) {shm_free(param);}
-
 struct reg_tm_cback_data {
 	struct cell *t;
 	struct tmcb_params *ps;
@@ -711,7 +709,11 @@ int send_register(unsigned int hash_index, reg_record_t *rec, str *auth_hdr)
 		&rec->td,		/* dialog structure*/
 		reg_tm_cback,		/* callback function */
 		(void *)cb_param,	/* callback param */
-		shm_free_param);	/* function to release the parameter */
+		osips_shm_free);	/* function to release the parameter */
+
+	if (result < 1)
+		shm_free(cb_param);
+
 	LM_DBG("result=[%d]\n", result);
 	return result;
 }
@@ -759,7 +761,11 @@ int send_unregister(unsigned int hash_index, reg_record_t *rec, str *auth_hdr)
 		&rec->td,		/* dialog structure*/
 		reg_tm_cback,		/* callback function */
 		(void *)cb_param,	/* callback param */
-		shm_free_param);	/* function to release the parameter */
+		osips_shm_free);	/* function to release the parameter */
+
+	if (result < 1)
+		shm_free(cb_param);
+
 	LM_DBG("result=[%d]\n", result);
 	return result;
 }