From 67e9294c871f96e5b9acb81a26f989d9eb7efc85 Mon Sep 17 00:00:00 2001 From: Liviu Chircu Date: Fri, 10 Jan 2025 18:14:16 +0200 Subject: [PATCH] dispatcher: Fix rare crash with 'pvar_algo_pattern' This patch simply moves the name buffer for the 'pvar_algo_pattern' into SHM rather than a stack buffer, in order to avoid invalid memory being referenced past the function's return point. Many thanks to Eric Tamme from Five9 for reporting & testing! (cherry picked from commit fe1a50d2513296819179612b8b072ab70871b9eb) --- modules/dispatcher/dispatch.c | 15 ++++++++------- modules/dispatcher/dispatch.h | 1 + 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/modules/dispatcher/dispatch.c b/modules/dispatcher/dispatch.c index 5e5b9653c98..ca1556f18df 100644 --- a/modules/dispatcher/dispatch.c +++ b/modules/dispatcher/dispatch.c @@ -571,9 +571,16 @@ ds_pvar_param_p ds_get_pvar_param(int id, str uri) int len = ds_pattern_prefix.len + ds_pattern_infix.len + ds_pattern_suffix.len + uri.len + str_id.len; - char buf[len]; /* XXX: check if this works for all compilers */ + char *buf; ds_pvar_param_p param; + param = shm_malloc(sizeof *param + len); + if (!param) { + LM_ERR("no more shm memory\n"); + return NULL; + } + buf = param->buf; + if (ds_pattern_one>DS_PATTERN_NONE) { name.len = 0; name.s = buf; @@ -599,12 +606,6 @@ ds_pvar_param_p ds_get_pvar_param(int id, str uri) name.len += ds_pattern_suffix.len; } - param = shm_malloc(sizeof(ds_pvar_param_t)); - if (!param) { - LM_ERR("no more shm memory\n"); - return NULL; - } - if (!pv_parse_spec(ds_pattern_one>DS_PATTERN_NONE ? &name : &ds_pattern_prefix, ¶m->pvar)) { LM_ERR("cannot parse pattern spec\n"); diff --git a/modules/dispatcher/dispatch.h b/modules/dispatcher/dispatch.h index 7e746921ce2..cdb773375fa 100644 --- a/modules/dispatcher/dispatch.h +++ b/modules/dispatcher/dispatch.h @@ -107,6 +107,7 @@ typedef struct _ds_pvar_param { pv_spec_t pvar; int value; + char buf[0]; } ds_pvar_param_t, *ds_pvar_param_p;