[asterisk-bugs] [JIRA] (ASTERISK-28936) pjsip crash when using non-sip uri

Asterisk Team (JIRA) noreply at issues.asterisk.org
Fri Jun 5 04:02:25 CDT 2020 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-28936?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=251037#comment-251037 ] 

Asterisk Team commented on ASTERISK-28936:
------------------------------------------

Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution.

A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report.

Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process].

Please note that once your issue enters an open state it has been accepted. As Asterisk is an open source project there is no guarantee or timeframe on when your issue will be looked into. If you need expedient resolution you will need to find and pay a suitable developer. Asking for an update on your issue will not yield any progress on it and will not result in a response. All updates are posted to the issue when they occur.

> pjsip crash when using non-sip uri
> ----------------------------------
>
>                 Key: ASTERISK-28936
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-28936
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Resources/res_pjsip
>    Affects Versions: 13.33.0
>            Reporter: Walter Doekes
>
> {noformat}
> *CLI> channel originate PJSIP/bob/tel:123 application Wait
> Segmentation fault
> {noformat}
> (Note that this does not always crash, because it depends on reading out-of-bounds mem.)
> BT:
> {noformat}
> (gdb) bt
> #0  __strncasecmp_l_avx () at ../sysdeps/x86_64/multiarch/strcmp-sse42.S:198
> #1  0x00007ffff78e7c37 in pj_stricmp (str1=str1 at entry=0x7fff88009228, str2=str2 at entry=0x7fffa158b7f0 <x_name>) at ../include/pj/string_i.h:222
> #2  0x00007ffff784fdbd in pjsip_param_find (param_list=param_list at entry=0x7fff88009210, name=name at entry=0x7fffa158b7f0 <x_name>) at ../src/pjsip/sip_uri.c:38
> #3  0x00007fffa134bac3 in ast_sip_get_transport_name (endpoint=endpoint at entry=0x555555dde150, sip_uri=0x7fff88009188, buf=buf at entry=0x7fff9e842700 "", buf_len=buf_len at entry=128) at res_pjsip.c:3102
> #4  0x00007fffa134bbcf in ast_sip_set_tpselector_from_ep_or_uri (endpoint=endpoint at entry=0x555555dde150, sip_uri=<optimized out>, selector=selector at entry=0x7fff9e842830) at res_pjsip.c:3272
> #5  0x00007fffa134bc5c in ast_sip_dlg_set_transport (endpoint=endpoint at entry=0x555555dde150, dlg=0x7fff88008c38, selector=selector at entry=0x7fff9e842830) at res_pjsip.c:3130
> #6  0x00007fffa134bdfd in ast_sip_create_dialog_uac (endpoint=endpoint at entry=0x555555dde150, uri=uri at entry=0x7fff9e842ba4 "tekl:123 at bob", request_user=request_user at entry=0x0) at res_pjsip.c:3347
> {noformat}
> {noformat}
> (gdb) up
> #1  0x00007ffff78e7c37 in pj_stricmp (str1=str1 at entry=0x7fff88009228, str2=str2 at entry=0x7fffa158b7f0 <x_name>) at ../include/pj/string_i.h:222
> 222		int res = pj_ansi_strnicmp(str1->ptr, str2->ptr, min);
> (gdb) print *str1
> $1 = {ptr = 0x13 <error: Cannot access memory at address 0x13>, slen = 140737346742117}
> {noformat}
> The problem is in {{ast_sip_dlg_set_transport()}}. It assumes that the dlg->target is a {{pjsip_sip_uri}}, while it can also be a {{pjsip_other_uri}}:
> {code}
> pjsip_dialog *ast_sip_create_dialog_uac(const struct ast_sip_endpoint *endpoint,
>         const char *uri, const char *request_user)
> {
> ...
>         res = pjsip_dlg_create_uac(pjsip_ua_instance(), &local_uri, NULL, &remote_uri, &target_uri, &dlg);
> ...
>         /* We have to temporarily bump up the sess_count here so the dialog is not prematurely destroyed */
>         dlg->sess_count++;
>         ast_sip_dlg_set_transport(endpoint, dlg, &selector);
>         if (sip_dialog_create_from(dlg->pool, &local_uri, endpoint->fromuser, endpoint->fromdomain, &remote_uri, &selector)) {
> {code}
> And:
> {code}
> int ast_sip_dlg_set_transport(const struct ast_sip_endpoint *endpoint, pjsip_dialog *dlg,
>         pjsip_tpselector *selector)
> {
>         pjsip_sip_uri *uri;
>         pjsip_tpselector sel = { .type = PJSIP_TPSELECTOR_NONE, };
>         uri = pjsip_uri_get_uri(dlg->target);  // <-- invalid "dynamic" cast to pjsip_sip_uri
> {code}
> {{pjsip_dlg_create_uac()}} will initialize {{dlg->target}}, but it's not guaranteed to be a pjsip_sip_uri.
> After the cast in {{ast_sip_dlg_set_transport}}, {{ast_sip_set_tpselector_from_ep_or_uri}} reads out of bounds memory. (Memory that a pjsip_sip_uri would own, but a pjsip_other_uri does not.)
> Result: crash.
> Possible fix:
> {noformat}
> --- a/res/res_pjsip.c
> +++ b/res/res_pjsip.c
> @@ -3327,6 +3327,11 @@ pjsip_dialog *ast_sip_create_dialog_uac(const struct ast_sip_endpoint *endpoint,
>         pj_cstr(&target_uri, uri);
>  
>         res = pjsip_dlg_create_uac(pjsip_ua_instance(), &local_uri, NULL, &remote_uri, &target_uri, &dlg);
> +       if (res == PJ_SUCCESS && (!PJSIP_URI_SCHEME_IS_SIP(dlg->target) && !PJSIP_URI_SCHEME_IS_SIPS(dlg->target))) {
> +               /* dlg->target is not a pjsip_sip_uri but a pjsip_other_uri;
> +                * but we don't expect those below. Fail now. */
> +               res = PJSIP_EINVALIDURI;
> +       }
>         if (res != PJ_SUCCESS) {
>                 if (res == PJSIP_EINVALIDURI) {
>                         ast_log(LOG_ERROR,
> {noformat}
> ^- I'll put this on gerrit



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list