fix: update cloned msg under lock to avoid races with branch injection #3528

vladpaiu · 2024-11-26T16:31:41Z

Summary
Aims to fix double free crash happening when a branch gets injected into a transaction which has not relayed yet.

Details

process Y creates the transaction and calls t_wait_for_new_branches() ( either directly or via lookup() )
procesX tries to inject a new branch and makes a clone of t.uas.request https://github.com/OpenSIPS/opensips/blob/master/modules/tm/t_fwd.c#L1064
proces Y calls t_relay() and updates t.uas.request https://github.com/OpenSIPS/opensips/blob/master/modules/tm/tm.c#L1339, frees old add_rm ( along other old fields ) https://github.com/OpenSIPS/opensips/blob/master/modules/tm/sip_msg.c#L1286
procesX tries to free it's fake req, https://github.com/OpenSIPS/opensips/blob/master/modules/tm/t_msgbuilder.h#L403 ,finds a different pointer than the one in t.uas.request, ending in a double free

Solution
When doing t_relay(), update the UAS request under lock, to avoid these race conditions

Compatibility
Should be backwards compatible

update cloned msg under lock to avoid races with branch injection

d050570

vladpaiu added the bug label Nov 26, 2024

vladpaiu added this to the 3.6-dev milestone Nov 26, 2024

vladpaiu assigned bogdan-iancu Nov 26, 2024

vladpaiu requested a review from bogdan-iancu November 26, 2024 16:34

akuriakose-sorenson approved these changes Nov 27, 2024

View reviewed changes

vladpaiu requested review from akuriakose-sorenson and removed request for akuriakose-sorenson November 27, 2024 18:59

Provide feedback