From ed12500804ccdbf4f9428e1fc8c1fcfe58217f6e Mon Sep 17 00:00:00 2001
From: Julien Chavanton <jchavanton@subspace.com>
Date: Wed, 2 Jun 2021 20:39:00 +0000
Subject: [PATCH] tm: prevent t_suspend memory leak

When suspending while already in t_continue when processing a reply / suspending twice in a reply.
---
 src/modules/tm/t_suspend.c | 23 ++++++++++++++---------
 1 file changed, 14 insertions(+), 9 deletions(-)

diff --git a/src/modules/tm/t_suspend.c b/src/modules/tm/t_suspend.c
index 4c8de42ce6d..641fd2bed1b 100644
--- a/src/modules/tm/t_suspend.c
+++ b/src/modules/tm/t_suspend.c
@@ -118,18 +118,23 @@ int t_suspend(struct sip_msg *msg,
 			LM_ERR("failed find UAC branch\n");
 			return -1;
 		}
-		LM_DBG("found a a match with branch id [%d] - "
-				"cloning reply message to t->uac[branch].reply\n", branch);
 
-		sip_msg_len = 0;
-		t->uac[branch].reply = sip_msg_cloner( msg, &sip_msg_len );
+		if (!t->uac[branch].reply) {
+			sip_msg_len = 0;
+			LM_DBG("found a match with branch id [%d] - "
+				"cloning reply message to t->uac[branch].reply\n", branch);
+			t->uac[branch].reply = sip_msg_cloner( msg, &sip_msg_len );
 
-		if (! t->uac[branch].reply ) {
-			LM_ERR("can't alloc' clone memory\n");
-			return -1;
+			if (! t->uac[branch].reply ) {
+				LM_ERR("can't alloc' clone memory\n");
+				return -1;
+			}
+			t->uac[branch].end_reply = ((char*)t->uac[branch].reply) + sip_msg_len;
+		} else {
+			LM_DBG("found a match with branch id [%d] - "
+				"message already cloned to t->uac[branch].reply\n", branch);
+			// This can happen when suspending more than once in a reply.
 		}
-		t->uac[branch].end_reply = ((char*)t->uac[branch].reply) + sip_msg_len;
-
 		LM_DBG("saving transaction data\n");
 		t->uac[branch].reply->flags = msg->flags;
 		t->flags |= T_ASYNC_SUSPENDED;