[asterisk-bugs] [JIRA] (ASTERISK-28936) res_pjsip: crash when dialing non-sip uri
Friendly Automation (JIRA)
noreply at issues.asterisk.org
Mon Jun 8 09:45:25 CDT 2020
[ https://issues.asterisk.org/jira/browse/ASTERISK-28936?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=251069#comment-251069 ]
Friendly Automation commented on ASTERISK-28936:
------------------------------------------------
Change 14502 merged by Friendly Automation:
pjsip: Prevent invalid memory access when attempting to contact a non-sip URI
[https://gerrit.asterisk.org/c/asterisk/+/14502|https://gerrit.asterisk.org/c/asterisk/+/14502]
> res_pjsip: crash when dialing non-sip uri
> -----------------------------------------
>
> Key: ASTERISK-28936
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-28936
> Project: Asterisk
> Issue Type: Bug
> Security Level: None
> Components: Resources/res_pjsip
> Affects Versions: 13.33.0
> Reporter: Walter Doekes
> Assignee: Walter Doekes
> Severity: Minor
>
> {noformat}
> *CLI> channel originate PJSIP/bob/tel:123 application Wait
> Segmentation fault
> {noformat}
> (Note that this does not always crash, because it depends on reading out-of-bounds mem.)
> BT:
> {noformat}
> (gdb) bt
> #0 __strncasecmp_l_avx () at ../sysdeps/x86_64/multiarch/strcmp-sse42.S:198
> #1 0x00007ffff78e7c37 in pj_stricmp (str1=str1 at entry=0x7fff88009228, str2=str2 at entry=0x7fffa158b7f0 <x_name>) at ../include/pj/string_i.h:222
> #2 0x00007ffff784fdbd in pjsip_param_find (param_list=param_list at entry=0x7fff88009210, name=name at entry=0x7fffa158b7f0 <x_name>) at ../src/pjsip/sip_uri.c:38
> #3 0x00007fffa134bac3 in ast_sip_get_transport_name (endpoint=endpoint at entry=0x555555dde150, sip_uri=0x7fff88009188, buf=buf at entry=0x7fff9e842700 "", buf_len=buf_len at entry=128) at res_pjsip.c:3102
> #4 0x00007fffa134bbcf in ast_sip_set_tpselector_from_ep_or_uri (endpoint=endpoint at entry=0x555555dde150, sip_uri=<optimized out>, selector=selector at entry=0x7fff9e842830) at res_pjsip.c:3272
> #5 0x00007fffa134bc5c in ast_sip_dlg_set_transport (endpoint=endpoint at entry=0x555555dde150, dlg=0x7fff88008c38, selector=selector at entry=0x7fff9e842830) at res_pjsip.c:3130
> #6 0x00007fffa134bdfd in ast_sip_create_dialog_uac (endpoint=endpoint at entry=0x555555dde150, uri=uri at entry=0x7fff9e842ba4 "tekl:123 at bob", request_user=request_user at entry=0x0) at res_pjsip.c:3347
> {noformat}
> {noformat}
> (gdb) up
> #1 0x00007ffff78e7c37 in pj_stricmp (str1=str1 at entry=0x7fff88009228, str2=str2 at entry=0x7fffa158b7f0 <x_name>) at ../include/pj/string_i.h:222
> 222 int res = pj_ansi_strnicmp(str1->ptr, str2->ptr, min);
> (gdb) print *str1
> $1 = {ptr = 0x13 <error: Cannot access memory at address 0x13>, slen = 140737346742117}
> {noformat}
> The problem is in {{ast_sip_dlg_set_transport()}}. It assumes that the dlg->target is a {{pjsip_sip_uri}}, while it can also be a {{pjsip_other_uri}}:
> {code}
> pjsip_dialog *ast_sip_create_dialog_uac(const struct ast_sip_endpoint *endpoint,
> const char *uri, const char *request_user)
> {
> ...
> res = pjsip_dlg_create_uac(pjsip_ua_instance(), &local_uri, NULL, &remote_uri, &target_uri, &dlg);
> ...
> /* We have to temporarily bump up the sess_count here so the dialog is not prematurely destroyed */
> dlg->sess_count++;
> ast_sip_dlg_set_transport(endpoint, dlg, &selector);
> if (sip_dialog_create_from(dlg->pool, &local_uri, endpoint->fromuser, endpoint->fromdomain, &remote_uri, &selector)) {
> {code}
> And:
> {code}
> int ast_sip_dlg_set_transport(const struct ast_sip_endpoint *endpoint, pjsip_dialog *dlg,
> pjsip_tpselector *selector)
> {
> pjsip_sip_uri *uri;
> pjsip_tpselector sel = { .type = PJSIP_TPSELECTOR_NONE, };
> uri = pjsip_uri_get_uri(dlg->target); // <-- invalid "dynamic" cast to pjsip_sip_uri
> {code}
> {{pjsip_dlg_create_uac()}} will initialize {{dlg->target}}, but it's not guaranteed to be a pjsip_sip_uri.
> After the cast in {{ast_sip_dlg_set_transport}}, {{ast_sip_set_tpselector_from_ep_or_uri}} reads out of bounds memory. (Memory that a pjsip_sip_uri would own, but a pjsip_other_uri does not.)
> Result: crash.
> Possible fix:
> {noformat}
> --- a/res/res_pjsip.c
> +++ b/res/res_pjsip.c
> @@ -3327,6 +3327,11 @@ pjsip_dialog *ast_sip_create_dialog_uac(const struct ast_sip_endpoint *endpoint,
> pj_cstr(&target_uri, uri);
>
> res = pjsip_dlg_create_uac(pjsip_ua_instance(), &local_uri, NULL, &remote_uri, &target_uri, &dlg);
> + if (res == PJ_SUCCESS && (!PJSIP_URI_SCHEME_IS_SIP(dlg->target) && !PJSIP_URI_SCHEME_IS_SIPS(dlg->target))) {
> + /* dlg->target is not a pjsip_sip_uri but a pjsip_other_uri;
> + * but we don't expect those below. Fail now. */
> + res = PJSIP_EINVALIDURI;
> + }
> if (res != PJ_SUCCESS) {
> if (res == PJSIP_EINVALIDURI) {
> ast_log(LOG_ERROR,
> {noformat}
> ^- I'll put this on gerrit
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list