next_branches(): Fix bugs leading to READ on freed shared memory

This patch fixes two code paths leading to the @avp pointer being freed, after which the dangling pointer is read afterwards by the search_next_avp() function at the "done" goto label. This will work 99% of the time, until the 1% where it won't (crash and burn!). Many thanks to Richard Revels (@rrevels-bw) and Sebastien Couture for an accurate report, as well as their involvement in troubleshooting! Fixes #2446 Fixes #2950 (cherry picked from commit 578fc29)
OpenSIPS · Nov 17, 2022 · e5739be · e5739be
1 parent a8e1657
commit e5739be
Showing 1 changed file with 12 additions and 15 deletions.
diff --git a/serialize.c b/serialize.c
@@ -268,7 +268,7 @@ int next_branches( struct sip_msg *msg)
 	qvalue_t q;
 	str uri, dst_uri, path, path_dst;
 	char *p;
-	unsigned int flags;
+	unsigned int flags, last_parallel_fork;
 	int rval;
 
 	if (route_type != REQUEST_ROUTE && route_type != FAILURE_ROUTE ) {
@@ -342,16 +342,14 @@ int next_branches( struct sip_msg *msg)
 				path.len, path.s,
 				q, flags, avp->flags);
 
-
-	if (avp->flags & Q_FLAG) {
-		destroy_avp(avp);
-		goto done;
-	}
-
+	last_parallel_fork = (avp->flags & Q_FLAG);
 	prev = avp;
-	avp = search_next_avp(prev, &val);
+	avp = search_next_avp(avp, &val);
 	destroy_avp(prev);
 
+	if (last_parallel_fork)
+		goto done;
+
 	/* Append branches until out of branches or Q_FLAG is set */
 	while (avp != NULL) {
 
@@ -391,19 +389,18 @@ int next_branches( struct sip_msg *msg)
 			goto error1;
 		}
 
-		if (avp->flags & Q_FLAG) {
-			destroy_avp(avp);
-			goto done;
-		}
-
+		last_parallel_fork = (avp->flags & Q_FLAG);
 		prev = avp;
-		avp = search_next_avp(prev, &val);
+		avp = search_next_avp(avp, &val);
 		destroy_avp(prev);
+
+		if (last_parallel_fork)
+			goto done;
 	}
 
 	return 2;
 done:
-	return (search_next_avp(avp, NULL)==NULL)?2:1;
+	return avp ? 1 : 2;
 error1:
 	destroy_avp(avp);
 error: