From 97c7916892da9877a37514f66e3f8c15012f2ef1 Mon Sep 17 00:00:00 2001
From: Neels Hofmeyr <neels@hofmeyr.de>
Date: Tue, 1 Jun 2021 03:33:59 +0200
Subject: fix use-after-free in SIP re-INVITE

Copy the m_mode before freeing the parser.
Address sanitizer aborted with:

20210601033017695 DSIP INFO re-INVITE for call 854A5CDA8037073 (sip.c:192)
=================================================================
==8583==ERROR: AddressSanitizer: heap-use-after-free on address 0x612000003250 at pc 0x55c3b4624dc5 bp 0x7ffe8a4464d0 sp 0x7ffe8a4464c8
READ of size 8 at 0x612000003250 thread T0
    #0 0x55c3b4624dc4 in sdp_get_sdp_mode ../../../src/osmo-sip-connector/src/sdp.c:72
    #1 0x55c3b462be9e in sip_handle_reinvite ../../../src/osmo-sip-connector/src/sip.c:202
    #2 0x55c3b462d676 in nua_callback ../../../src/osmo-sip-connector/src/sip.c:397
[...]

Change-Id: I4c48832f01e61e98536de8f164ab5a3caa64f34a
---
 src/sdp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/sdp.c b/src/sdp.c
index f1909d4..7bfcff5 100644
--- a/src/sdp.c
+++ b/src/sdp.c
@@ -68,8 +68,8 @@ bool sdp_get_sdp_mode(const sip_t *sip, sdp_mode_t *mode) {
 		return sdp_sendrecv;
 	}
 
-	sdp_parser_free(parser);
 	*mode = sdp->sdp_media->m_mode;
+	sdp_parser_free(parser);
 	return true;
 }
 
-- 
cgit v1.2.3