From 06f5129a2dfa34d21933abdfc2f94924c58bb3b1 Mon Sep 17 00:00:00 2001
From: Sebastian Reimers <hallo@studio-link.de>
Date: Sun, 18 Aug 2024 20:38:40 +0200
Subject: [PATCH 1/2] sipsess/reply: fix heap-use-after-free bug

fixes #1178 - `mem_deref(sess)` calls list_flush(&sess->replyl)
within destructor and reply is a dangling pointer after this.
---
 src/sipsess/reply.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/sipsess/reply.c b/src/sipsess/reply.c
index 30d98ff16..ae9f29ce6 100644
--- a/src/sipsess/reply.c
+++ b/src/sipsess/reply.c
@@ -66,7 +66,8 @@ static void tmr_handler(void *arg)
 		}
 	}
 	else {
-		mem_deref(sess);
+		mem_deref(sess); /* list_flush derefs reply */
+		return;
 	}
 
 	mem_deref(reply);

From 6184bbe3cc29f28e8167226b32b82df5edd9c511 Mon Sep 17 00:00:00 2001
From: Sebastian Reimers <hallo@studio-link.de>
Date: Sun, 18 Aug 2024 20:52:16 +0200
Subject: [PATCH 2/2] deref reply before session

---
 src/sipsess/reply.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/sipsess/reply.c b/src/sipsess/reply.c
index ae9f29ce6..dad7f3b70 100644
--- a/src/sipsess/reply.c
+++ b/src/sipsess/reply.c
@@ -66,7 +66,8 @@ static void tmr_handler(void *arg)
 		}
 	}
 	else {
-		mem_deref(sess); /* list_flush derefs reply */
+		mem_deref(reply);
+		mem_deref(sess);
 		return;
 	}