From 3a2c0979a5461050e6a50af14ea01b07c226ff2c Mon Sep 17 00:00:00 2001 From: Guillaume Roguez <guillaume.roguez@savoirfairelinux.com> Date: Fri, 29 May 2015 20:56:34 -0400 Subject: [PATCH] sipaccount: fix free'ed memory access Discovered using ASAN. useUPnPAddressPortInVIA() stores getUPnPIpAddress().toString() result as pointer but this last is a stack allocated object. Refs #74409 Change-Id: I63bbb247225e31ca102b429dec4cb713ce4b7783 --- src/sip/sipaccount.cpp | 5 +++-- src/sip/sipaccount.h | 6 ++++++ 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/src/sip/sipaccount.cpp b/src/sip/sipaccount.cpp index eb0450a92f..6eb733aaa0 100644 --- a/src/sip/sipaccount.cpp +++ b/src/sip/sipaccount.cpp @@ -474,8 +474,9 @@ void SIPAccount::usePublishedAddressPortInVIA() void SIPAccount::useUPnPAddressPortInVIA() { - via_addr_.host.ptr = (char *) getUPnPIpAddress().toString().c_str(); - via_addr_.host.slen = getUPnPIpAddress().toString().size(); + upnpIpAddr_ = getUPnPIpAddress().toString(); + via_addr_.host.ptr = (char *) upnpIpAddr_.c_str(); + via_addr_.host.slen = upnpIpAddr_.size(); via_addr_.port = publishedPortUsed_; } diff --git a/src/sip/sipaccount.h b/src/sip/sipaccount.h index cc26564ede..f01fe69dd3 100644 --- a/src/sip/sipaccount.h +++ b/src/sip/sipaccount.h @@ -768,6 +768,12 @@ class SIPAccount : public SIPAccountBase { */ pjsip_host_port via_addr_; + /** + * Temporary storage for getUPnPIpAddress().toString() + * Used only by useUPnPAddressPortInVIA(). + */ + std::string upnpIpAddr_; + char contactBuffer_[PJSIP_MAX_URL_SIZE]; pj_str_t contact_; int contactRewriteMethod_; -- GitLab