Fix crash while processing received “200 Registration successful” response in reg-on-response=true context
Crash conditions
- Use an asynchronous registrar DB backend (e.g. Redis).
- Enable reg-on-response feature.
- The Contact-URI in the “200 Registration successful” response has no “unique-id” parameter (Default: +sip.instance=…).
Crash analysis
The crash is caused by a memory corruption made by the RegistrarDB::bind() method, which adds a parameter (pub-gruu=) in the Contact-URI of the given SIP messgae but using a sofiasip::Home object in stack for new allocated buffers. Thus, the buffer which holds the pub-gruu parameter is destroyed on return on the method.
That shouldn't cause any problem if the listener was called synchronously but Redis backend is asynchronous.
Furthermore, the memory corruption also impacts the Contact-URI in the ResponseContext object because it has been used to substitute the Contact-URI of the SIP message (without copy) just before calling RegistrarDB::bind().
Fix
Make RegistrarDb::bind() to work on a copy of the given SIP message before modifying the Contact-URI.
Extra changes
- Change RegistrarDb interface in order bind() use a reference on a MsgSip object instead of sip_t *.
- Make the ResponseContext object to copy the Contact-URI in its own sofiasip::Home.