From 649b789ccde40778543f2a973a1c01495a2cba8b Mon Sep 17 00:00:00 2001
From: Daniel-Constantin Mierla <miconda@gmail.com>
Date: Sun, 30 Jul 2017 18:18:24 +0200
Subject: [PATCH] call_control: check return values and free in case of errors
 in fixup

---
 src/modules/call_control/call_control.c | 31 ++++++++++++++++++-------
 1 file changed, 22 insertions(+), 9 deletions(-)

diff --git a/src/modules/call_control/call_control.c b/src/modules/call_control/call_control.c
index e1776de61a6..689a16d1fde 100644
--- a/src/modules/call_control/call_control.c
+++ b/src/modules/call_control/call_control.c
@@ -245,6 +245,7 @@ int
 cc_parse_param(void *val, AVP_List** avps) {
 
     char *p = NULL;
+    char *p0 = NULL;
     str s, content;
     AVP_List *mp = NULL;
 
@@ -258,13 +259,13 @@ cc_parse_param(void *val, AVP_List** avps) {
 		return -1;
 	}
 
-    p = (char*) pkg_malloc (content.len + 1);
-    CHECK_ALLOC(p);
+    p0 = (char*) pkg_malloc (content.len + 1);
+    CHECK_ALLOC(p0);
+    p = p0;
 
     p[content.len] = '\0';
     memcpy(p, content.s, content.len);
 
-
     for (;*p != '\0';) {
 
         mp = (AVP_List*) pkg_malloc (sizeof(AVP_List));
@@ -296,8 +297,13 @@ cc_parse_param(void *val, AVP_List** avps) {
         s.len = strlen(p);
 
         p = pv_parse_spec(&s, mp->pv);
+        if(p==NULL) {
+            LM_ERR("failed to parse pv spec\n");
+            goto error;
+        }
 
         for (; isspace(*p); p++);
+
         *avps = mp;
     }
 
@@ -310,6 +316,7 @@ cc_parse_param(void *val, AVP_List** avps) {
 		}
 		pkg_free(mp);
 	}
+    if(p0) pkg_free(p0);
 	return -1;
 }
 
@@ -581,6 +588,7 @@ make_custom_request(struct sip_msg *msg, CallInfo *call)
 {
     static char request[8192];
     int len = 0;
+    int len0 = 0;
     AVP_List *al;
     pv_value_t pt;
 
@@ -601,21 +609,26 @@ make_custom_request(struct sip_msg *msg, CallInfo *call)
     }
 
     for (; al; al = al->next) {
-        pv_get_spec_value(msg, al->pv, &pt);
+        if(pv_get_spec_value(msg, al->pv, &pt)<0) {
+            LM_ERR("failed to get pv value\n");
+            return NULL;
+        }
         if (pt.flags & PV_VAL_INT) {
-            len += snprintf(request + len, sizeof(request),
+            len += snprintf(request + len0, sizeof(request)-len0,
                       "%.*s = %d ", al->name.len, al->name.s,
                    pt.ri);
         } else    if (pt.flags & PV_VAL_STR) {
-            len += snprintf(request + len, sizeof(request),
+            len += snprintf(request + len0, sizeof(request)-len0,
                       "%.*s = %.*s ", al->name.len, al->name.s,
                    pt.rs.len, pt.rs.s);
         }
 
-          if (len >= sizeof(request)) {
-               LM_ERR("callcontrol request is longer than %ld bytes\n", (unsigned long)sizeof(request));
+        if (len >= sizeof(request)-len0) {
+            LM_ERR("callcontrol request is longer than %ld bytes\n",
+                    (unsigned long)sizeof(request));
             return NULL;
-             }
+        }
+        len0 = len;
     }