[asterisk-bugs] [JIRA] (ASTERISK-27279) Crash in pubsub_on_rx_request NULL pointer - Possible PJSIP Vulnerability
Ross Beer (JIRA)
noreply at issues.asterisk.org
Tue Sep 19 09:36:09 CDT 2017
Ross Beer created ASTERISK-27279:
------------------------------------
Summary: Crash in pubsub_on_rx_request NULL pointer - Possible PJSIP Vulnerability
Key: ASTERISK-27279
URL: https://issues.asterisk.org/jira/browse/ASTERISK-27279
Project: Asterisk
Issue Type: Bug
Security Level: None
Components: Resources/res_pjsip_pubsub
Affects Versions: GIT
Environment: Fedora 23
Reporter: Ross Beer
Crash when receiving a SUBSCRIBE request with no content type.
{noformat}
#0 0x00007f8a3598d1a2 in pj_stricmp (str1=0x0, str2=0x7f89a9e3aab0) at ../include/pj/string_i.h:216
#1 0x00007f8a3598d2b1 in pj_stricmp2 (str1=0x0, str2=0x7f89bab14f5e "application") at ../include/pj/string_i.h:315
copy2 = {ptr = 0x7f89bab14f5e "application", slen = 11}
#2 0x00007f89bab1226f in pubsub_on_rx_request (rdata=0x7f88ec0688d8) at res_pjsip_pubsub.c:3589
rdata = 0x7f88ec0688d8
#3 0x00007f89bab1226f in pubsub_on_rx_request (rdata=0x7f88ec0688d8) at res_pjsip_pubsub.c:3603
rdata = 0x7f88ec0688d8
{noformat}
The segfault is caused by a NULL pointer in the following method:
{noformat}
static pj_bool_t pubsub_on_rx_notify_request(pjsip_rx_data *rdata)
{
if (pj_stricmp2(&rdata->msg_info.msg->body->content_type.type, "application") == 0 &&
pj_stricmp2(&rdata->msg_info.msg->body->content_type.subtype, "simple-message-summary") == 0) {
return pubsub_on_rx_mwi_notify_request(rdata);
}
return PJ_FALSE;
}
{noformat}
I would have expected PJSIP to have rejected the request due to the lack of content type however it appears to have passed without issue.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list