Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

reply: heap-use-after-free bug #1178

Closed
sreimers opened this issue Aug 18, 2024 · 0 comments · Fixed by #1179
Closed

reply: heap-use-after-free bug #1178

sreimers opened this issue Aug 18, 2024 · 0 comments · Fixed by #1179

Comments

@sreimers
Copy link
Member

sreimers commented Aug 18, 2024
edited
Loading 

=1005524==ERROR: AddressSanitizer: heap-use-after-free on address 0x51400012c250 at pc 0x5d06353e6881 bp 0x7ffdd7d594f0 sp 0x7ffdd7d594e8                         
READ of size 8 at 0x51400012c250 thread T0                                       
    #0 0x5d06353e6880 in mem_deref /re/src/mem/mem.c:369:2
    #1 0x5d06354710ca in tmr_handler /re/src/sipsess/reply.c:72:2                                                   
    #2 0x5d0635425746 in tmr_poll /re/src/tmr/tmr.c:160:3                                                                             
    #3 0x5d06353ded6a in re_main /re/src/main/main.c:1077:3          
    #4 0x5d0635315442 in main /home/mix/ptt/server/src/main.c:336:8                                                                                                
    #5 0x79f3f9e34e07 in __libc_start_call_main /usr/src/debug/glibc/glibc/csu/../sysdeps/nptl/libc_start_call_main.h:58:16                              
    #6 0x79f3f9e34ecb in __libc_start_main /usr/src/debug/glibc/glibc/csu/../csu/libc-start.c:360:3
                                                                                                                                                     
0x51400012c250 is located 16 bytes inside of 440-byte region [0x51400012c240,0x51400012c3f8)                                                        
freed by thread T0 here:                                                                                                                             
    #0 0x5d06352c62e2 in free.part.0 asan_malloc_linux.cpp.o                                                                                        
    #1 0x5d06353e6b45 in mem_deref /re/src/mem/mem.c:390:2
    #2 0x5d06353dadf7 in list_flush /re/src/list/list.c:51:3  
    #3 0x5d06354739b1 in destructor /re/src/sipsess/sess.c:146:2           
    #4 0x5d06353e69cd in mem_deref /re/src/mem/mem.c:376:3
    #5 0x5d06354710c1 in tmr_handler /re/src/sipsess/reply.c:69:3          
    #6 0x5d0635425746 in tmr_poll /re/src/tmr/tmr.c:160:3                                     
    #7 0x5d06353ded6a in re_main /re/src/main/main.c:1077:3                                                                 
                                                                                                                                                                   
previously allocated by thread T0 here:                                                          
    #0 0x5d06352c7289 in malloc (/home/mix/ptt/server/build/ptt+0x16a289) (BuildId: 80de04f6f5107950b1cc817720e8c9221d0da097)
    #1 0x5d06353e5f50 in mem_alloc /re/src/mem/mem.c:166:6          
    #2 0x5d06353e629c in mem_zalloc /re/src/mem/mem.c:198:6                                                                 
    #3 0x5d0635470145 in sipsess_reply_2xx /re/src/sipsess/reply.c:127:11
    #4 0x5d0635465bee in sipsess_answer /re/src/sipsess/accept.c:185:8
    #5 0x5d0635396fec in call_answer /baresip/src/call.c:1305:9     
    #6 0x5d0635351493 in ua_answer /baresip/src/ua.c:1444:9
    #7 0x5d0635310dea in ua_event_handler /home/mix/ptt/server/src/app.c:419:3    
    #8 0x5d0635331897 in ua_event /baresip/src/bevent.c:700:3                                                       
    #9 0x5d063534da3c in call_event_handler /baresip/src/ua.c:532:3                                                                   
    #10 0x5d06353949fc in call_event_handler /baresip/src/call.c:184:2
    #11 0x5d0635393586 in mnat_handler /baresip/src/call.c:238:3       
    #12 0x5d0635377c00 in turn_handler /baresip/modules/turn/turn.c:221:2
    #13 0x5d063542be6a in allocate_resp_handler /re/src/turn/turnc.c:156:2              
    #14 0x5d06354b76ed in completed /re/src/stun/ctrans.c:64:3                                                      
    #15 0x5d06354b734e in stun_ctrans_recv /re/src/stun/ctrans.c:216:3                                                      
    #16 0x5d06354297e7 in udp_recv_handler /re/src/turn/turnc.c:365:9
    #17 0x5d063543106d in udp_read /re/src/udp/udp.c:202:10    
    #18 0x5d063542f03e in udp_read_handler /re/src/udp/udp.c:220:2         
    #19 0x5d06353e0471 in fd_poll /re/src/main/main.c:918:4                    
    #20 0x5d06353ded0a in re_main /re/src/main/main.c:1057:9

    
SUMMARY: AddressSanitizer: heap-use-after-free /re/src/mem/mem.c:369:2 in mem_deref
sreimers added a commit that referenced this issue Aug 18, 2024
@sreimers
sipsess/reply: fix heap-use-after-free bug
06f5129 
fixes #1178 - `mem_deref(sess)` calls list_flush(&sess->replyl)
within destructor and reply is a dangling pointer after this.
@sreimers sreimers mentioned this issue Aug 18, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

sipsess/reply: fix heap-use-after-free bug baresip/re
1 participant
@sreimers