Skip to content

Commit

Permalink
sipsess/reply: fix heap-use-after-free bug
Browse files Browse the repository at this point in the history 
fixes #1178 - `mem_deref(sess)` calls list_flush(&sess->replyl)
within destructor and reply is a dangling pointer after this.
  • Loading branch information
@sreimers
sreimers committed Aug 18, 2024
1 parent ee1be80 commit 06f5129
Showing 1 changed file with 2 additions and 1 deletion.
3 changes: 2 additions & 1 deletion src/sipsess/reply.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,8 @@ static void tmr_handler(void *arg)
}
}
else {
mem_deref(sess);
mem_deref(sess); /* list_flush derefs reply */
return;
}

mem_deref(reply);
Expand Down

0 comments on commit 06f5129

Please sign in to comment.