[asterisk-bugs] [JIRA] (ASTERISK-28973) Malformed IP address in SDP of 2nd SIP timer triggered INVITE when NAT is active (UDP transport with external_media_address)
Michael Neuhauser (JIRA)
noreply at issues.asterisk.org
Tue Jun 30 10:23:25 CDT 2020
[ https://issues.asterisk.org/jira/browse/ASTERISK-28973?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=251310#comment-251310 ]
Michael Neuhauser edited comment on ASTERISK-28973 at 6/30/20 10:22 AM:
------------------------------------------------------------------------
Analysis: the code to modify the SDP (in res_pjsip_session.c:session_outgoing_nat_hook() and also (redundantly?) in res_pjsip_sdp_rtp.c:change_outgoing_sdp_stream_media_address()) uses the tdata->pool to allocate the replacement string. But the *same* pjmedia_sdp_stream that was modified for the 1st refresh-INVITE is also used for the 2nd refresh-INVITE (because it is stored in pjmedia's pjmedia_sdp_neg structure). The problem is, that at that moment, the tdata->pool that holds the stringified external_media_address from the 1. refresh-INVITE has long been reused for something else.
Solution: in pjproject/source/pjsip/src/pjsip-ua/sip_timer.c:timer_cb(), modify a cloned copy of the pjmedia_sdp_stream, not the stored original to protect it from changes (as is done in pjproject/source/pjsip/src/pjsip-ua/sip_inv.c when calling pjsip_create_sdp_body()). See attached patch.
was (Author: mneuhauser):
Analysis: the code to modify the SDP (in res_pjsip_session.c:session_outgoing_nat_hook() and also (redundantly?) in res_pjsip_sdp_rtp.c:change_outgoing_sdp_stream_media_address()) uses the tdata->pool to allocate the replacement string. But the *same* pjmedia_sdp_stream that was modified for the 1st refresh-INVITE is also used for the 2nd refresh-INVITE (because it is stored in pjmedia's pjmedia_sdp_stream and reused for the 2nd refresh-INVITE. The problem is, that at that moment, the tdata->pool that holds the stringified external_media_address from the 1. refresh-INVITE has long been reused for something else.
Solution: in pjproject/source/pjsip/src/pjsip-ua/sip_timer.c:timer_cb(), modify a cloned copy of the pjmedia_sdp_stream, not the stored original to protect it from changes (as is done in pjproject/source/pjsip/src/pjsip-ua/sip_inv.c when calling pjsip_create_sdp_body()). See attached patch.
> Malformed IP address in SDP of 2nd SIP timer triggered INVITE when NAT is active (UDP transport with external_media_address)
> ----------------------------------------------------------------------------------------------------------------------------
>
> Key: ASTERISK-28973
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-28973
> Project: Asterisk
> Issue Type: Bug
> Security Level: None
> Components: pjproject/pjsip
> Affects Versions: 16.11.0
> Reporter: Michael Neuhauser
> Labels: patch
> Attachments: 0060-clone-sdp-for-sip-timer-refresh-invite.patch
>
>
> PJSIP, UDP transport with external_media_address and session timers enabled. Connected to SIP server that is not in local net. Asterisk initiated the connection and is refreshing the session after 150s (timeout 300s). The 2nd refresh-INVITE triggered by the pjsip timer has a malformed IP address in its SDP (garbage string). This only happens when the SDP is modified by the nat-code to replace the local IP address with the configured external_media_address.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list