[asterisk-bugs] [JIRA] (ASTERISK-29024) pjsip: Route Header in Cancel request incorrectly set
nappsoft (JIRA)
noreply at issues.asterisk.org
Tue Dec 8 04:26:17 CST 2020
[ https://issues.asterisk.org/jira/browse/ASTERISK-29024?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=252976#comment-252976 ]
nappsoft commented on ASTERISK-29024:
-------------------------------------
Could it be the case that the first call to rewrite_uri (the one for pjsip_rr_hdr) makes the pjsip_routing_hdr in dlg->route_set invalid as the structs are pointing to the same memory location first (like I've written: in my case rewrite_uri is called twice even though the message only has a Record-Route and no route header, so dlg->route_set.next seems to point to the rr header) but the pointer to route->name_addr in the route set is not updated properly?
> pjsip: Route Header in Cancel request incorrectly set
> -----------------------------------------------------
>
> Key: ASTERISK-29024
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-29024
> Project: Asterisk
> Issue Type: Bug
> Security Level: None
> Components: pjproject/pjsip
> Affects Versions: 17.6.0
> Reporter: Flole Systems
> Assignee: Unassigned
> Labels: patch
> Attachments: 0001-pjsip-Create-deep-copies-of-strings-where-appropriat.patch, 2.txt, res_pjsip_nat.diff
>
>
> When I initiate a call using PJSIP and Cancel the call while it's still ringing the Route-Header seems to be sent incorrectly. It looks like it's a pointer to a memory region that got overwritten. I saw internal IP Addresses in there aswell as some other stuff like "Route: <sip:}". The "Route: <sip:" is always set properly, just the part after the sip is never set correctly and also the closing ">" is always missing.
> As the memory region that it reads from can't be controlled it might happen that confidential data like a password is exposed over this.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list