[asterisk-bugs] [JIRA] (ASTERISK-28936) res_pjsip: crash when dialing non-sip uri

Friendly Automation (JIRA) noreply at issues.asterisk.org
Mon Jun 8 09:45:25 CDT 2020


     [ https://issues.asterisk.org/jira/browse/ASTERISK-28936?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Friendly Automation closed ASTERISK-28936.
------------------------------------------

    Resolution: Fixed

> res_pjsip: crash when dialing non-sip uri
> -----------------------------------------
>
>                 Key: ASTERISK-28936
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-28936
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Resources/res_pjsip
>    Affects Versions: 13.33.0
>            Reporter: Walter Doekes
>            Assignee: Walter Doekes
>            Severity: Minor
>
> {noformat}
> *CLI> channel originate PJSIP/bob/tel:123 application Wait
> Segmentation fault
> {noformat}
> (Note that this does not always crash, because it depends on reading out-of-bounds mem.)
> BT:
> {noformat}
> (gdb) bt
> #0  __strncasecmp_l_avx () at ../sysdeps/x86_64/multiarch/strcmp-sse42.S:198
> #1  0x00007ffff78e7c37 in pj_stricmp (str1=str1 at entry=0x7fff88009228, str2=str2 at entry=0x7fffa158b7f0 <x_name>) at ../include/pj/string_i.h:222
> #2  0x00007ffff784fdbd in pjsip_param_find (param_list=param_list at entry=0x7fff88009210, name=name at entry=0x7fffa158b7f0 <x_name>) at ../src/pjsip/sip_uri.c:38
> #3  0x00007fffa134bac3 in ast_sip_get_transport_name (endpoint=endpoint at entry=0x555555dde150, sip_uri=0x7fff88009188, buf=buf at entry=0x7fff9e842700 "", buf_len=buf_len at entry=128) at res_pjsip.c:3102
> #4  0x00007fffa134bbcf in ast_sip_set_tpselector_from_ep_or_uri (endpoint=endpoint at entry=0x555555dde150, sip_uri=<optimized out>, selector=selector at entry=0x7fff9e842830) at res_pjsip.c:3272
> #5  0x00007fffa134bc5c in ast_sip_dlg_set_transport (endpoint=endpoint at entry=0x555555dde150, dlg=0x7fff88008c38, selector=selector at entry=0x7fff9e842830) at res_pjsip.c:3130
> #6  0x00007fffa134bdfd in ast_sip_create_dialog_uac (endpoint=endpoint at entry=0x555555dde150, uri=uri at entry=0x7fff9e842ba4 "tekl:123 at bob", request_user=request_user at entry=0x0) at res_pjsip.c:3347
> {noformat}
> {noformat}
> (gdb) up
> #1  0x00007ffff78e7c37 in pj_stricmp (str1=str1 at entry=0x7fff88009228, str2=str2 at entry=0x7fffa158b7f0 <x_name>) at ../include/pj/string_i.h:222
> 222		int res = pj_ansi_strnicmp(str1->ptr, str2->ptr, min);
> (gdb) print *str1
> $1 = {ptr = 0x13 <error: Cannot access memory at address 0x13>, slen = 140737346742117}
> {noformat}
> The problem is in {{ast_sip_dlg_set_transport()}}. It assumes that the dlg->target is a {{pjsip_sip_uri}}, while it can also be a {{pjsip_other_uri}}:
> {code}
> pjsip_dialog *ast_sip_create_dialog_uac(const struct ast_sip_endpoint *endpoint,
>         const char *uri, const char *request_user)
> {
> ...
>         res = pjsip_dlg_create_uac(pjsip_ua_instance(), &local_uri, NULL, &remote_uri, &target_uri, &dlg);
> ...
>         /* We have to temporarily bump up the sess_count here so the dialog is not prematurely destroyed */
>         dlg->sess_count++;
>         ast_sip_dlg_set_transport(endpoint, dlg, &selector);
>         if (sip_dialog_create_from(dlg->pool, &local_uri, endpoint->fromuser, endpoint->fromdomain, &remote_uri, &selector)) {
> {code}
> And:
> {code}
> int ast_sip_dlg_set_transport(const struct ast_sip_endpoint *endpoint, pjsip_dialog *dlg,
>         pjsip_tpselector *selector)
> {
>         pjsip_sip_uri *uri;
>         pjsip_tpselector sel = { .type = PJSIP_TPSELECTOR_NONE, };
>         uri = pjsip_uri_get_uri(dlg->target);  // <-- invalid "dynamic" cast to pjsip_sip_uri
> {code}
> {{pjsip_dlg_create_uac()}} will initialize {{dlg->target}}, but it's not guaranteed to be a pjsip_sip_uri.
> After the cast in {{ast_sip_dlg_set_transport}}, {{ast_sip_set_tpselector_from_ep_or_uri}} reads out of bounds memory. (Memory that a pjsip_sip_uri would own, but a pjsip_other_uri does not.)
> Result: crash.
> Possible fix:
> {noformat}
> --- a/res/res_pjsip.c
> +++ b/res/res_pjsip.c
> @@ -3327,6 +3327,11 @@ pjsip_dialog *ast_sip_create_dialog_uac(const struct ast_sip_endpoint *endpoint,
>         pj_cstr(&target_uri, uri);
>  
>         res = pjsip_dlg_create_uac(pjsip_ua_instance(), &local_uri, NULL, &remote_uri, &target_uri, &dlg);
> +       if (res == PJ_SUCCESS && (!PJSIP_URI_SCHEME_IS_SIP(dlg->target) && !PJSIP_URI_SCHEME_IS_SIPS(dlg->target))) {
> +               /* dlg->target is not a pjsip_sip_uri but a pjsip_other_uri;
> +                * but we don't expect those below. Fail now. */
> +               res = PJSIP_EINVALIDURI;
> +       }
>         if (res != PJ_SUCCESS) {
>                 if (res == PJSIP_EINVALIDURI) {
>                         ast_log(LOG_ERROR,
> {noformat}
> ^- I'll put this on gerrit



--
This message was sent by Atlassian JIRA
(v6.2#6252)



More information about the asterisk-bugs mailing list