From 97f1ee6e287b6f711ddbe04700a82295341ed880 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
Date: Mon, 9 Mar 2015 16:30:53 +0200
Subject: [PATCH] sqlops: fix use-after-free by deep copying result name

When creating a new result handle, deep copy the result name.
Otherwise we might end up accessing the name after it's freed.

(cherry picked from commit 6e2604464e64cfaaf1e0327228f53f4787b69470)
---
 modules/sqlops/sql_api.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/modules/sqlops/sql_api.c b/modules/sqlops/sql_api.c
index eeb6facd63f..e11ae297941 100644
--- a/modules/sqlops/sql_api.c
+++ b/modules/sqlops/sql_api.c
@@ -199,14 +199,16 @@ sql_result_t* sql_get_result(str *name)
 			return sr;
 		sr = sr->next;
 	}
-	sr = (sql_result_t*)pkg_malloc(sizeof(sql_result_t));
+	sr = (sql_result_t*)pkg_malloc(sizeof(sql_result_t) + name->len);
 	if(sr==NULL)
 	{
 		LM_ERR("no pkg memory\n");
 		return NULL;
 	}
 	memset(sr, 0, sizeof(sql_result_t));
-	sr->name = *name;
+	memcpy(sr+1, name->s, name->len);
+	sr->name.s = (char *)(sr + 1);
+	sr->name.len = name->len;
 	sr->resid = resid;
 	sr->next = _sql_result_root;
 	_sql_result_root = sr;
@@ -685,6 +687,7 @@ void sql_destroy(void)
 		pkg_free(r);
 		r = r0;
 	}
+	_sql_result_root = NULL;
 }
 
 /**