From 3a2c0979a5461050e6a50af14ea01b07c226ff2c Mon Sep 17 00:00:00 2001
From: Guillaume Roguez <guillaume.roguez@savoirfairelinux.com>
Date: Fri, 29 May 2015 20:56:34 -0400
Subject: [PATCH] sipaccount: fix free'ed memory access

Discovered using ASAN.
useUPnPAddressPortInVIA() stores getUPnPIpAddress().toString() result as pointer
but this last is a stack allocated object.

Refs #74409

Change-Id: I63bbb247225e31ca102b429dec4cb713ce4b7783
---
 src/sip/sipaccount.cpp | 5 +++--
 src/sip/sipaccount.h   | 6 ++++++
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/src/sip/sipaccount.cpp b/src/sip/sipaccount.cpp
index eb0450a92f..6eb733aaa0 100644
--- a/src/sip/sipaccount.cpp
+++ b/src/sip/sipaccount.cpp
@@ -474,8 +474,9 @@ void SIPAccount::usePublishedAddressPortInVIA()
 
 void SIPAccount::useUPnPAddressPortInVIA()
 {
-    via_addr_.host.ptr = (char *) getUPnPIpAddress().toString().c_str();
-    via_addr_.host.slen = getUPnPIpAddress().toString().size();
+    upnpIpAddr_ = getUPnPIpAddress().toString();
+    via_addr_.host.ptr = (char *) upnpIpAddr_.c_str();
+    via_addr_.host.slen = upnpIpAddr_.size();
     via_addr_.port = publishedPortUsed_;
 }
 
diff --git a/src/sip/sipaccount.h b/src/sip/sipaccount.h
index cc26564ede..f01fe69dd3 100644
--- a/src/sip/sipaccount.h
+++ b/src/sip/sipaccount.h
@@ -768,6 +768,12 @@ class SIPAccount : public SIPAccountBase {
          */
         pjsip_host_port via_addr_;
 
+        /**
+         * Temporary storage for getUPnPIpAddress().toString()
+         * Used only by useUPnPAddressPortInVIA().
+         */
+        std::string upnpIpAddr_;
+
         char contactBuffer_[PJSIP_MAX_URL_SIZE];
         pj_str_t contact_;
         int contactRewriteMethod_;
-- 
GitLab