From 7d3f42c9018195e9dd6ef7c0b6295c9e3dba1403 Mon Sep 17 00:00:00 2001 From: David Trihy Date: Mon, 12 Jan 2026 18:19:27 +0000 Subject: [PATCH 1/2] GCVCALLP-2360: Crash fix for topology hiding --- modules/topology_hiding/topo_hiding_logic.c | 9 +++++--- parser/parse_rr.c | 23 +++++++++++---------- 2 files changed, 18 insertions(+), 14 deletions(-) diff --git a/modules/topology_hiding/topo_hiding_logic.c b/modules/topology_hiding/topo_hiding_logic.c index 9fc4462ee2..15784b0390 100644 --- a/modules/topology_hiding/topo_hiding_logic.c +++ b/modules/topology_hiding/topo_hiding_logic.c @@ -1666,6 +1666,7 @@ static char* build_encoded_contact_suffix(struct sip_msg* msg, str *routes, str* param_t *it; rr_t *head = NULL; int is_req = (msg->first_line.type==SIP_REQUEST)?1:0; + int params_len = 0; int local_len = sizeof(short) /* RR length */ + sizeof(short) /* Contact length */ + sizeof(short) /* RR length */ + @@ -1729,7 +1730,7 @@ static char* build_encoded_contact_suffix(struct sip_msg* msg, str *routes, str* /* we just iterate over the unknown params */ for (i=0;iparam_name, &ctu.u_name[i])) - suffix_len += topo_ct_param_len(&ctu.u_name[i], &ctu.u_val[i], 0); + params_len += topo_ct_param_len(&ctu.u_name[i], &ctu.u_val[i], 0); } } } @@ -1745,12 +1746,14 @@ static char* build_encoded_contact_suffix(struct sip_msg* msg, str *routes, str* for (el=th_hdr_param_list;el;el=el->next) { for (it=((contact_body_t *)msg->contact->parsed)->contacts->params;it;it=it->next) { if (str_match(&el->param_name, &it->name)) - suffix_len += topo_ct_param_len(&it->name, &it->body, 1); + params_len += topo_ct_param_len(&it->name, &it->body, 1); } } } } + total_len += params_len; + suffix_enc = pkg_malloc(total_len+1); if (!suffix_enc) { LM_ERR("no more pkg\n"); @@ -1837,7 +1840,7 @@ static int topo_no_dlg_encode_contact(struct sip_msg *msg, unsigned int flags, s { struct lump* lump; char *prefix=NULL,*suffix=NULL,*ct_username=NULL; - int prefix_len,suffix_len,ct_username_len=0; + int prefix_len,suffix_len = 0,ct_username_len=0; struct sip_uri ctu; str contact; diff --git a/parser/parse_rr.c b/parser/parse_rr.c index 42d290ab62..ee1f031918 100644 --- a/parser/parse_rr.c +++ b/parser/parse_rr.c @@ -354,15 +354,15 @@ int shm_duplicate_rr(rr_t** _new, rr_t* _r, int first) int print_rr_body_ignore(struct hdr_field *iroute, str *oroute, int order, int no_change, str *rrs_to_ignore) { - rr_t *p, *ignored = NULL; - int n = 0; + rr_t *p; + int n = 0, nr=0; int i = 0; int route_len; #define MAX_RR_HDRS 64 static str route[MAX_RR_HDRS]; + str s_rr; char *cp, *start; struct hdr_field tmp, *hdr; - str s_rr = STR_NULL; if(iroute==NULL) return 0; @@ -391,18 +391,17 @@ int print_rr_body_ignore(struct hdr_field *iroute, str *oroute, int order, s_rr.s = p->nameaddr.name.s; s_rr.len = p->len; if (str_strstr(rrs_to_ignore, &s_rr) == NULL) { - route[n].s = s_rr.s; - route[n].len = s_rr.len; + route[n].s = p->nameaddr.name.s; + route[n].len = p->len; LM_DBG("current rr is %.*s\n", route[n].len, route[n].s); + route_len += route[n].len; n++; - route_len += route[i].len; - if (n==MAX_RR_HDRS) + if(n==MAX_RR_HDRS) { LM_ERR("too many RR\n"); goto error; } - s_rr = STR_NULL; } p = p->next; } @@ -411,9 +410,11 @@ int print_rr_body_ignore(struct hdr_field *iroute, str *oroute, int order, iroute = iroute->sibling; } - route_len += (n - 1); /* for commas */ + route_len += n - 1; /* for commas */ - oroute->s = (char*)pkg_malloc(route_len); + LM_ERR("Route len %d\n", route_len); + + oroute->s = (char*) pkg_malloc(route_len); if(oroute->s==0) { @@ -444,7 +445,7 @@ int print_rr_body_ignore(struct hdr_field *iroute, str *oroute, int order, *(cp++) = ','; } } - oroute->len=cp - start; + oroute->len = route_len; LM_DBG("out rr [%.*s]\n", oroute->len, oroute->s); LM_DBG("we have %i records\n", n); From 3be2726b29189e8f33b041905e65895c5a20e043 Mon Sep 17 00:00:00 2001 From: David Trihy Date: Mon, 12 Jan 2026 11:48:53 -0800 Subject: [PATCH 2/2] GCVCALLP-2360: Remove errant error log --- parser/parse_rr.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/parser/parse_rr.c b/parser/parse_rr.c index ee1f031918..d397620deb 100644 --- a/parser/parse_rr.c +++ b/parser/parse_rr.c @@ -412,8 +412,6 @@ int print_rr_body_ignore(struct hdr_field *iroute, str *oroute, int order, route_len += n - 1; /* for commas */ - LM_ERR("Route len %d\n", route_len); - oroute->s = (char*) pkg_malloc(route_len); if(oroute->s==0)