dialog: fix use-after-free and race in cluster replication#3860
Open
NormB wants to merge 1 commit intoOpenSIPS:masterfrom
Open
dialog: fix use-after-free and race in cluster replication#3860NormB wants to merge 1 commit intoOpenSIPS:masterfrom
NormB wants to merge 1 commit intoOpenSIPS:masterfrom
Conversation
Fix three bugs triggered when SIP-I messages with binary ISUP data are replicated across a dialog cluster with reinvite pinging enabled. 1. dlg_replicated_create: after _link_dlg_unsafe() links the dialog into the hash table, subsequent DLG_BIN_POP failures jumped to pre_linking_error which calls destroy_dlg() without unlinking. This leaves a dangling pointer in the hash chain — other workers dereference freed memory (GPF). Add post_linking_error label that calls unlink_unsafe_dlg() before destroy. 2. write_dialog_vars: the read lock on vals_lock was released between the sizing pass and the write pass. A concurrent store_dlg_value() (e.g. from persist_reinvite_pinging storing multipart SDP+ISUP bodies) can modify the vals list in between, causing a buffer overflow and corrupted serialization. Hold the read lock through both passes. 3. strip_esc: when len==1 and *c is backslash, *(c+1) reads one byte past the string. Add len>1 guard. Closes OpenSIPS#3858
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fix three bugs triggered when SIP-I messages with binary ISUP data are replicated across a dialog cluster with reinvite pinging enabled.
dlg_replicated_create: after_link_dlg_unsafe()links the dialog into the hash table,DLG_BIN_POPfailures jumped topre_linking_errorwhich callsdestroy_dlg()without unlinking — leaves a dangling pointer in the hash chainwrite_dialog_vars: read lock released between the sizing pass and the write pass, allowing concurrentstore_dlg_value()to corrupt the bufferstrip_esc:*(c+1)read past string end when last byte is backslashReproduction
2-node cluster, 16 workers,
reinvite_ping_interval=5, 300 CPS with multipart SDP+ISUP bodies and concurrent re-INVITEs. Unpatched: SIGSEGV infree_dlg_dlg()—shm_free(0xabcdefedabcdefed)(freed-memory poison). Patched: same load, zero crashes.Closes #3858