Skip to content

Commit bb45ea3

Browse files
committed
rtpengine: fix use-after-free of flags string in bencode dictionary
parse_flags() stores pointers into the pkg-allocated flags_nt.s buffer via bencode_str() and bencode_dictionary_add_len(), which hold references (not copies). The buffer was freed via pkg_free() before send_rtpe_command() serialized the dictionary, causing garbled output for key=value flags like media-address. Fix by deferring the free via bencode_buffer_destroy_add(), which ensures the buffer lives until bencode_buffer_free() is called after the command is sent. Fixes: #3784
1 parent dbfac4e commit bb45ea3

1 file changed

Lines changed: 7 additions & 1 deletion

File tree

modules/rtpengine/rtpengine.c

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2638,6 +2638,8 @@ static int rtpe_check_ignore_node(str *error)
26382638
return ret;
26392639
}
26402640

2641+
static void pkg_free_wrapper(void *p) { pkg_free(p); }
2642+
26412643
static int rtpe_function_call_prepare(bencode_buffer_t *bencbuf, struct sip_msg *msg, enum rtpe_operation op,
26422644
struct ng_flags_parse *ng_flags, str *flags_str, str *body_in, bencode_item_t *extra_dict, char **err)
26432645
{
@@ -2811,8 +2813,12 @@ static int rtpe_function_call_prepare(bencode_buffer_t *bencbuf, struct sip_msg
28112813
goto error;
28122814
}
28132815

2816+
/* flags_nt.s must remain valid until the bencode buffer is serialized
2817+
* and sent, because parse_flags() stores pointers into it (via bencode_str
2818+
* and bencode_dictionary_add_len) for key=value flags like media-address.
2819+
* Register it for cleanup when the bencode buffer is freed. */
28142820
if (flags_nt.s)
2815-
pkg_free(flags_nt.s);
2821+
bencode_buffer_destroy_add(bencbuf, pkg_free_wrapper, flags_nt.s);
28162822

28172823
return 1;
28182824

0 commit comments

Comments
 (0)