From 30f6c2aa070f58897e3f3fb651012189a5adff1e Mon Sep 17 00:00:00 2001 From: Bogdan-Andrei Iancu Date: Thu, 13 Jul 2023 12:24:23 +0300 Subject: [PATCH] [tm] fix accessing free'd reference to script route When setting the T->failure reference to NULL, the previously set script reference is automatically free'ed, so be sure you do not use if afterwards. Closes #3115 Credits to @Integration-IT for helping with the troubleshooting and testing --- modules/tm/t_reply.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/tm/t_reply.c b/modules/tm/t_reply.c index 48abaee9eec..db2775ae9f8 100644 --- a/modules/tm/t_reply.c +++ b/modules/tm/t_reply.c @@ -581,7 +581,7 @@ static inline int run_failure_handlers(struct cell *t) static struct sip_msg faked_req; struct sip_msg *shmem_msg; struct ua_client *uac; - struct script_route_ref *on_failure; + int on_failure_idx; int old_route_type; shmem_msg = t->uas.request; @@ -622,11 +622,11 @@ static inline int run_failure_handlers(struct cell *t) /* avoid recursion -- if failure_route forwards, and does not * set next failure route, failure_route will not be reentered * on failure */ - on_failure = t->on_negative; + on_failure_idx = t->on_negative->idx; t_on_negative(NULL); /* run a reply_route action if some was marked */ swap_route_type(old_route_type, FAILURE_ROUTE); - run_top_route(sroutes->failure[on_failure->idx], &faked_req); + run_top_route(sroutes->failure[on_failure_idx], &faked_req); set_route_type(old_route_type); }