[asterisk-bugs] [JIRA] (ASTERISK-29024) pjsip: Route Header in Cancel request incorrectly set

Ralf Kubis (JIRA) noreply at issues.asterisk.org
Thu Oct 8 09:38:36 CDT 2020 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-29024?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=252371#comment-252371 ] 

Ralf Kubis commented on ASTERISK-29024:
---------------------------------------

I forgot,

there is this other issue in *<src_root>\third-party\pjproject\source\pjsip\src\pjsip\sip_util.c*.
This is probably to be fixed in PJSIP.

In function {{pjsip_endpt_create_cancel(...)}}


{code:title=<src_root>/third-party/pjproject/source/pjsip/src/pjsip/sip_util.c|borderStyle=solid}
    /* Copy the destination host name from the original request */
    pj_strdup(
            cancel_tdata->pool
        ,   &cancel_tdata->dest_info.name
        ,   &req_tdata->dest_info.name
        );

    /* Finally copy the destination info from the original request */
    pj_memcpy(
            &cancel_tdata->dest_info
        ,   &req_tdata->dest_info
        ,   sizeof(req_tdata->dest_info)
        );
{code}

Here, {{cancel_tdata->dest_info.name}} received a deep-copy.
But the subsequent call to {{pj_memcpy()}} makes it shallow again.

My intermediate Hack around this:

{code:title=<src_root>/third-party/pjproject/source/pjsip/src/pjsip/sip_util.c|borderStyle=solid}
    pj_memcpy(
            &cancel_tdata->dest_info
        ,   &req_tdata->dest_info
        ,   sizeof(req_tdata->dest_info)
        );

    cancel_tdata->dest_info.name.ptr  = 0;
    cancel_tdata->dest_info.name.slen = 0;

    /* Copy the destination host name from the original request */
    pj_strdup(
            cancel_tdata->pool
        ,   &cancel_tdata->dest_info.name
        ,   &req_tdata->dest_info.name
        );

{code}

> pjsip: Route Header in Cancel request incorrectly set
> -----------------------------------------------------
>
>                 Key: ASTERISK-29024
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-29024
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: pjproject/pjsip
>    Affects Versions: 17.6.0
>            Reporter: Flole Systems
>            Assignee: Unassigned
>
> When I initiate a call using PJSIP and Cancel the call while it's still ringing the Route-Header seems to be sent incorrectly. It looks like it's a pointer to a memory region that got overwritten. I saw internal IP Addresses in there aswell as some other stuff like "Route: <sip:}". The "Route: <sip:" is always set properly, just the part after the sip is never set correctly and also the closing ">" is always missing.
> As the memory region that it reads from can't be controlled it might happen that confidential data like a password is exposed over this.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list