Skip to content

Fix crash while processing received “200 Registration successful” response in...

François Grisez requested to merge hotfix/reg_on_response_crash into release/2.0

Fix crash while processing received “200 Registration successful” response in reg-on-response=true context

Crash conditions

  • Use an asynchronous registrar DB backend (e.g. Redis).
  • Enable reg-on-response feature.
  • The Contact-URI in the “200 Registration successful” response has no “unique-id” parameter (Default: +sip.instance=…).

Crash analysis

The crash is caused by a memory corruption made by the RegistrarDB::bind() method, which adds a parameter (pub-gruu=) in the Contact-URI of the given SIP messgae but using a sofiasip::Home object in stack for new allocated buffers. Thus, the buffer which holds the pub-gruu parameter is destroyed on return on the method.

That shouldn't cause any problem if the listener was called synchronously but Redis backend is asynchronous.

Furthermore, the memory corruption also impacts the Contact-URI in the ResponseContext object because it has been used to substitute the Contact-URI of the SIP message (without copy) just before calling RegistrarDB::bind().

Fix

Make RegistrarDb::bind() to work on a copy of the given SIP message before modifying the Contact-URI.

Extra changes

  • Change RegistrarDb interface in order bind() use a reference on a MsgSip object instead of sip_t *.
  • Make the ResponseContext object to copy the Contact-URI in its own sofiasip::Home.

Merge request reports