From f555c851105633bff5af604270f8039f45b5d62f Mon Sep 17 00:00:00 2001 From: Norm Brandinger Date: Thu, 12 Feb 2026 07:29:30 -0500 Subject: [PATCH] b2b_entities: fix crash calling b2b_init_request from async resume route When b2b_init_request() is called from an async resume route (e.g. after rest_post), the SIP message is a TM faked request whose parsed headers are memcpy'd SHM pointers from the transaction copy. b2b_apply_lumps() calls free_sip_msg() which invokes pkg_free() on those SHM pointers, triggering "bad pointer (out of memory block!) - aborting" and crashing the worker process. Guard b2b_apply_lumps() with a check for FL_TM_FAKE_REQ (already set by TM's fake_req()) and return early, mirroring how TM's own free_faked_req() avoids freeing the SHM header list. Fixes: https://github.com/OpenSIPS/opensips/issues/3796 --- modules/b2b_entities/dlg.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/modules/b2b_entities/dlg.c b/modules/b2b_entities/dlg.c index 1479da09b53..1ec1c35738d 100644 --- a/modules/b2b_entities/dlg.c +++ b/modules/b2b_entities/dlg.c @@ -3983,6 +3983,14 @@ int b2b_apply_lumps(struct sip_msg* msg) if (msg==NULL || msg == FAKED_REPLY || msg==&dummy_msg) return 0; + /* TM faked requests have parsed headers in SHM (from the + * transaction copy). free_sip_msg() below would try to + * pkg_free() those SHM pointers, causing a "dangling pkg + * pointer" abort. Skip lump application for these messages. + * (see GH #3796) */ + if (msg->msg_flags & FL_TM_FAKE_REQ) + return 0; + if(!msg->body_lumps && !msg->add_rm) return 0;