From d7e42ceef76e66b06d97159e71043fd552a29e8c Mon Sep 17 00:00:00 2001
From: jaybeepee <jason.penton@gmail.com>
Date: Fri, 12 Feb 2016 20:48:14 +0200
Subject: [PATCH] modules/ims_registrar_scscf: fixed segfault on multiple impu
 when building notify     - also reported and fixed by Dragos Oancea

---
 modules/ims_registrar_scscf/registrar_notify.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/modules/ims_registrar_scscf/registrar_notify.c b/modules/ims_registrar_scscf/registrar_notify.c
index df1f0b1cd17..70eb978ed9c 100644
--- a/modules/ims_registrar_scscf/registrar_notify.c
+++ b/modules/ims_registrar_scscf/registrar_notify.c
@@ -2006,9 +2006,9 @@ reg_notification * new_notification(str subscription_state,
     char *p;
 
     len = sizeof (reg_notification) + r->call_id.len + r->from_tag.len + r->to_tag.len + r->watcher_uri.len + r->watcher_contact.len +
-            r->record_route.len + r->sockinfo_str.len + r->presentity_uri.len + subscription_state.len + content_type.len + (num_impus*sizeof(str)); // + buf.len;
+            r->record_route.len + r->sockinfo_str.len + r->presentity_uri.len + subscription_state.len + content_type.len + (num_impus)*sizeof(str); // + buf.len;
     for (i=0; i<num_impus; i++) {
-        len += impus[i]->len;
+        len += (*impus)[i].len;
     }
 
     LM_DBG("Creating new notification");
@@ -2084,13 +2084,13 @@ reg_notification * new_notification(str subscription_state,
     p += content_type.len;
     LM_DBG("Notification content type: [%.*s]", n->content_type.len, n->content_type.s);
 
-    n->impus = p;
+    n->impus = (str*)p;
     p += sizeof(str)*num_impus;
     for (i=0; i<num_impus; i++) {
         n->impus[i].s = p;
-        memcpy(p, impus[i]->s, impus[i]->len);
-        n->impus[i].len = impus[i]->len;
-        p += impus[i]->len;
+        memcpy(p, (*impus)[i].s, (*impus)[i].len);
+        n->impus[i].len = (*impus)[i].len;
+        p += (*impus)[i].len;
     }
     n->num_impus = num_impus;