From 06f5129a2dfa34d21933abdfc2f94924c58bb3b1 Mon Sep 17 00:00:00 2001
From: Sebastian Reimers <hallo@studio-link.de>
Date: Sun, 18 Aug 2024 20:38:40 +0200
Subject: [PATCH] sipsess/reply: fix heap-use-after-free bug

fixes #1178 - `mem_deref(sess)` calls list_flush(&sess->replyl)
within destructor and reply is a dangling pointer after this.
---
 src/sipsess/reply.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/sipsess/reply.c b/src/sipsess/reply.c
index 30d98ff16..ae9f29ce6 100644
--- a/src/sipsess/reply.c
+++ b/src/sipsess/reply.c
@@ -66,7 +66,8 @@ static void tmr_handler(void *arg)
 		}
 	}
 	else {
-		mem_deref(sess);
+		mem_deref(sess); /* list_flush derefs reply */
+		return;
 	}
 
 	mem_deref(reply);