[asterisk-bugs] [JIRA] (ASTERISK-29024) pjsip: Route Header in Cancel request incorrectly set

nappsoft (JIRA) noreply at issues.asterisk.org
Tue Dec 8 04:01:17 CST 2020 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-29024?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=252975#comment-252975 ] 

nappsoft commented on ASTERISK-29024:
-------------------------------------

got the following crash twice yesterday while testing. However this only ever happened with the current patch for ASTERISK-29022 applied. (However I can't say for sure that it could not possibly happen as well without the mentioned patch. But I've let run my testcase for about 30 hours without the mentioned patch without any crash and got 3 crashes during about 8 hours of testing with the mentioned patch... but of course, we all know how it is with race conditions/memory corruption: a small change in the environment can let the issue pop up frequently or let it vanish...).

Could the patch for ASTERISK-29022 somehow have an influence on the lifetime of rdata->tp_info.pool? Or is rdata->tp_info.pool the wrong pool to use anyway? However the strange thing is that this always happens on the second call to rewrite_uri (so not in the if (rr) case, but afterwards for the route_set).

> pjsip: Route Header in Cancel request incorrectly set
> -----------------------------------------------------
>
>                 Key: ASTERISK-29024
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-29024
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: pjproject/pjsip
>    Affects Versions: 17.6.0
>            Reporter: Flole Systems
>            Assignee: Unassigned
>              Labels: patch
>         Attachments: 0001-pjsip-Create-deep-copies-of-strings-where-appropriat.patch, 2.txt, res_pjsip_nat.diff
>
>
> When I initiate a call using PJSIP and Cancel the call while it's still ringing the Route-Header seems to be sent incorrectly. It looks like it's a pointer to a memory region that got overwritten. I saw internal IP Addresses in there aswell as some other stuff like "Route: <sip:}". The "Route: <sip:" is always set properly, just the part after the sip is never set correctly and also the closing ">" is always missing.
> As the memory region that it reads from can't be controlled it might happen that confidential data like a password is exposed over this.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list