Module: kamailio Branch: 5.8 Commit: c207afcf7ae30fa98cde00919417446d6c3eef7e URL: https://github.com/kamailio/kamailio/commit/c207afcf7ae30fa98cde00919417446d6c3eef7e
Author: Norm Brandinger <[email protected]> Committer: Daniel-Constantin Mierla <[email protected]> Date: 2026-03-05T18:01:49+01:00 dialog: fix race condition in link_dlg_profile Move link_profile() call inside the dialog entry lock in link_dlg_profile(). Without this, a linker added to the dialog's profile list becomes visible to destroy_linkers() before it is inserted into the profile hash table. If destroy_linkers() runs in that window, it sees hash_linker.next as NULL, skips the hash table unlink, and frees the linker. The subsequent link_profile() call then operates on freed memory, corrupting the profile hash table. This causes SIGSEGV in get_profile_size() (NULL pointer in hash chain traversal) or an infinite loop when hash buckets become cross-linked. GH #2923 (cherry picked from commit c958cc7a1dcad00c4bb36f79d539bbb96f135642) (cherry picked from commit c3fd3592257edbb2bd4d74cb438e6576cac7a079) (cherry picked from commit 79f3a1fdc1cc9e816171a87811d08c6f7c1c3fc8) --- Modified: src/modules/dialog/dlg_profile.c --- Diff: https://github.com/kamailio/kamailio/commit/c207afcf7ae30fa98cde00919417446d6c3eef7e.diff Patch: https://github.com/kamailio/kamailio/commit/c207afcf7ae30fa98cde00919417446d6c3eef7e.patch --- diff --git a/src/modules/dialog/dlg_profile.c b/src/modules/dialog/dlg_profile.c index 43aee6278e0..d71f9247a78 100644 --- a/src/modules/dialog/dlg_profile.c +++ b/src/modules/dialog/dlg_profile.c @@ -516,15 +516,16 @@ static void link_dlg_profile( linker->next = dlg->profile_links; dlg->profile_links = linker; linker->hash_linker.dlg = dlg; + link_profile(linker, &dlg->callid); dlg_unlock(d_table, d_entry); } else { linker->next = dlg->profile_links; dlg->profile_links = linker; linker->hash_linker.dlg = dlg; + link_profile(linker, &dlg->callid); } atomic_or_int((volatile int *)&dlg->dflags, DLG_FLAG_CHANGED_PROF); - link_profile(linker, &dlg->callid); } _______________________________________________ Kamailio - Development Mailing List -- [email protected] To unsubscribe send an email to [email protected] Important: keep the mailing list in the recipients, do not reply only to the sender!
