From: Dmitry Verenitsin Date: Mon, 25 May 2026 21:15:19 +0000 (+0500) Subject: [mod_sofia] Fix use-after-free in dispatch event thread. (#3031) X-Git-Tag: v1.11.1^2~15 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=08c3fffa7cf6596a25f564d747fa7c28424a368c;p=thirdparty%2Ffreeswitch.git [mod_sofia] Fix use-after-free in dispatch event thread. (#3031) `sofia_process_dispatch_event_in_thread` allocated `td` from a memory pool, then `sofia_msg_thread_run_once` destroyed that same pool after processing the event — leaving `td` dangling when the thread pool worker accessed it. Allocate `td` with `switch_zmalloc` (`td->alloc = 1`) so the worker frees it safely after the function returns. Remove the now-unused `pool` field from `sofia_dispatch_event_t`. --- diff --git a/src/mod/endpoints/mod_sofia/mod_sofia.h b/src/mod/endpoints/mod_sofia/mod_sofia.h index 8e2b1b483c..3689f82a20 100644 --- a/src/mod/endpoints/mod_sofia/mod_sofia.h +++ b/src/mod/endpoints/mod_sofia/mod_sofia.h @@ -168,7 +168,6 @@ typedef struct sofia_dispatch_event_s { int save; switch_core_session_t *session; switch_core_session_t *init_session; - switch_memory_pool_t *pool; struct sofia_dispatch_event_s *next; } sofia_dispatch_event_t; diff --git a/src/mod/endpoints/mod_sofia/sofia.c b/src/mod/endpoints/mod_sofia/sofia.c index 2901ffdd63..7579c8c03c 100644 --- a/src/mod/endpoints/mod_sofia/sofia.c +++ b/src/mod/endpoints/mod_sofia/sofia.c @@ -2199,22 +2199,15 @@ static uint32_t DE_THREAD_CNT = 0; void *SWITCH_THREAD_FUNC sofia_msg_thread_run_once(switch_thread_t *thread, void *obj) { sofia_dispatch_event_t *de = (sofia_dispatch_event_t *) obj; - switch_memory_pool_t *pool = NULL; switch_mutex_lock(mod_sofia_globals.mutex); DE_THREAD_CNT++; switch_mutex_unlock(mod_sofia_globals.mutex); if (de) { - pool = de->pool; - de->pool = NULL; sofia_process_dispatch_event(&de); } - if (pool) { - switch_core_destroy_memory_pool(&pool); - } - switch_mutex_lock(mod_sofia_globals.mutex); DE_THREAD_CNT--; switch_mutex_unlock(mod_sofia_globals.mutex); @@ -2225,16 +2218,12 @@ void *SWITCH_THREAD_FUNC sofia_msg_thread_run_once(switch_thread_t *thread, void void sofia_process_dispatch_event_in_thread(sofia_dispatch_event_t **dep) { sofia_dispatch_event_t *de = *dep; - switch_memory_pool_t *pool; - //sofia_profile_t *profile = (*dep)->profile; switch_thread_data_t *td; - switch_core_new_memory_pool(&pool); - *dep = NULL; - de->pool = pool; - td = switch_core_alloc(pool, sizeof(*td)); + switch_zmalloc(td, sizeof(*td)); + td->alloc = 1; td->func = sofia_msg_thread_run_once; td->obj = de;