Fixed double free issue when reading multiple SIP messages in one TCP…

… chunk Do proper zero-ing out of the tcp_req structure
OpenSIPS · Aug 12, 2013 · db24ec0 · db24ec0
1 parent 41157e7
commit db24ec0
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 7 deletions.
diff --git a/tcp_conn.h b/tcp_conn.h
@@ -193,6 +193,9 @@ struct tcp_connection{
 		(r)->parsed=(r)->pos=(r)->start=(r)->buf; \
 		(r)->error=TCP_REQ_OK;\
 		(r)->state=H_SKIP_EMPTY; \
+		(r)->body=0; \
+		(r)->complete=(r)->content_len=(r)->has_content_len=0; \
+		(r)->bytes_to_go=0; \
 	}while(0)
 
 

diff --git a/tcp_read.c b/tcp_read.c
@@ -439,8 +439,10 @@ void release_tcpconn(struct tcp_connection* c, long state, int unix_sock)
 			c, state, c->fd, c->id);
 	LM_DBG(" extra_data %p\n", c->extra_data);
 
-	if (c->con_req)
+	if (c->con_req) {
 		pkg_free(c->con_req);
+		c->con_req = NULL;
+	}
 
 	/* release req & signal the parent */
 	if (c->fd!=-1) close(c->fd);
@@ -696,8 +698,11 @@ int tcp_read_req(struct tcp_connection* con, int* bytes_read)
 				&local_rcv) <0)
 					LM_ERR("receive_msg failed \n");
 
-			if (req != &current_req)
+			if (!size && req != &current_req) {
+				/* if we no longer need this tcp_req
+				 * we can free it now */
 				pkg_free(req);
+			}
 		}
 
 		*req->parsed=c;
@@ -743,11 +748,6 @@ int tcp_read_req(struct tcp_connection* con, int* bytes_read)
 				goto end_req;
 			}
 
-			con->con_req->content_len = req->content_len;
-			con->con_req->bytes_to_go = req->bytes_to_go;
-			con->con_req->error = req->error;
-			con->con_req->state = req->state;
-
 			if (req->pos != req->buf) {
 				/* we have read some bytes */
 				memcpy(con->con_req->buf,req->buf,req->pos-req->buf);
@@ -766,6 +766,18 @@ int tcp_read_req(struct tcp_connection* con, int* bytes_read)
 			else
 				con->con_req->parsed = con->con_req->buf;
 
+			if (req->body != 0) {
+				con->con_req->body = con->con_req->buf + (req->body-req->buf);
+			} else
+				con->con_req->body = 0;
+
+			con->con_req->complete=req->complete;
+			con->con_req->has_content_len=req->has_content_len;
+			con->con_req->content_len=req->content_len;
+			con->con_req->bytes_to_go=req->bytes_to_go;
+			con->con_req->error = req->error;
+			con->con_req->state = req->state;
+
 			/* zero out the per process req for the future SIP msg */
 			init_tcp_req(&current_req);
 		}