[asterisk-bugs] [JIRA] (ASTERISK-24369) res_pjsip: Large message on reliable transport can cause empty messages to be passed from the PJSIP stack up, causing crashes in multiple locations

Matt Jordan (JIRA) noreply at issues.asterisk.org
Mon Sep 29 15:07:29 CDT 2014 

     [ https://issues.asterisk.org/jira/browse/ASTERISK-24369?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Matt Jordan updated ASTERISK-24369:
-----------------------------------

    Description: 
When a message that exceeds the {{PJ_MAX_PKT_SIZE}} is sent over a reliable transport, it is possible (although it shouldn't occur) for pjproject to pass up an {{rdata}} object with a NULL {{msg}} in the {{msg_info}}. Needless to say, things that attempt to dereference this are in for a rough ride.

In particular, this caused crashes in three different locations (primarily):

# {{res_pjsip_logger}}
# {{res_hep_pjsip}}
# {{res_pjsip/distributor}}

While pjproject should not be doing this, some defensive coding is probably warranted. In all cases, this is essentially an off nominal, and we should bail out as fast as possible. Backtrace and patches are attached.

  was:
When a message that exceeds the {{PJ_MAX_PKT_SIZE}} is sent over a reliable transport, it is possible (although it shouldn't occur) for pjproject to pass up an {{rdata}} object with a NULL {{msg}} in the {{msg_info}}. Needless to say, things that attempt to dereference this are in for a rough ride.

In particular, this caused crashes in three different locations (primarily):

# {{res_pjsip_logger}}
# {{res_pjsip_hep}}
# {{res_pjsip/distributor}}




> res_pjsip: Large message on reliable transport can cause empty messages to be passed from the PJSIP stack up, causing crashes in multiple locations
> ---------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: ASTERISK-24369
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-24369
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Resources/res_hep_pjsip, Resources/res_pjsip, Resources/res_pjsip_logger
>    Affects Versions: 12.6.0, 13.0.0-beta2
>            Reporter: Matt Jordan
>
> When a message that exceeds the {{PJ_MAX_PKT_SIZE}} is sent over a reliable transport, it is possible (although it shouldn't occur) for pjproject to pass up an {{rdata}} object with a NULL {{msg}} in the {{msg_info}}. Needless to say, things that attempt to dereference this are in for a rough ride.
> In particular, this caused crashes in three different locations (primarily):
> # {{res_pjsip_logger}}
> # {{res_hep_pjsip}}
> # {{res_pjsip/distributor}}
> While pjproject should not be doing this, some defensive coding is probably warranted. In all cases, this is essentially an off nominal, and we should bail out as fast as possible. Backtrace and patches are attached.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list