Skip to content

Commit 5767d4d

Browse files
committed
rtpengine: fix use-after-free of flags string in bencode dictionary
parse_flags() stores pointers into the pkg-allocated flags_nt.s buffer via bencode_str() and bencode_dictionary_add_len(), which hold references (not copies). The buffer was freed via pkg_free() before send_rtpe_command() serialized the dictionary, causing garbled output for key=value flags like media-address. Fix by deferring the free via bencode_buffer_destroy_add(), which ensures the buffer lives until bencode_buffer_free() is called after the command is sent. Fixes: #3784
1 parent dbfac4e commit 5767d4d

1 file changed

Lines changed: 5 additions & 1 deletion

File tree

modules/rtpengine/rtpengine.c

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2811,8 +2811,12 @@ static int rtpe_function_call_prepare(bencode_buffer_t *bencbuf, struct sip_msg
28112811
goto error;
28122812
}
28132813

2814+
/* flags_nt.s must remain valid until the bencode buffer is serialized
2815+
* and sent, because parse_flags() stores pointers into it (via bencode_str
2816+
* and bencode_dictionary_add_len) for key=value flags like media-address.
2817+
* Register it for cleanup when the bencode buffer is freed. */
28142818
if (flags_nt.s)
2815-
pkg_free(flags_nt.s);
2819+
bencode_buffer_destroy_add(bencbuf, (free_func_t)pkg_free, flags_nt.s);
28162820

28172821
return 1;
28182822

0 commit comments

Comments
 (0)