[Asterisk-code-review] res pjsip: Validate that contact uris start with sip: or sips: (asterisk[certified/13.1])

Mark Michelson asteriskteam at digium.com
Thu Sep 10 08:24:58 CDT 2015


Mark Michelson has uploaded a new change for review.

  https://gerrit.asterisk.org/1232

Change subject: res_pjsip:  Validate that contact uris start with sip: or sips:
......................................................................

res_pjsip:  Validate that contact uris start with sip: or sips:

Currently we use pjsip_parse_hdr to validate contact uris but it
appears that it allows uris without a scheme if there's a port
supplied.  I.E myexample.com will fail but myexample.com:5060 will
pass even though it has no scheme.  This causes SEGVs later on
whenever the uri is used.

To prevent this, permanent_contact_validate has been updated to check
that the scheme is either 'sip' or 'sips'.

2 uses of possibly-null endpoint have also been fixed in
create_out_of_dialog_request.

ASTERISK-24999

Change-Id: Ifc17d16a4923e1045d37fe51e43bbe29fa556ca2
Reported-by: Brad Latus
(cherry picked from commit 75666ad7c608ad9968a216a8f0a5832bf85b785c)
---
M res/res_pjsip.c
M res/res_pjsip/location.c
2 files changed, 11 insertions(+), 6 deletions(-)


  git pull ssh://gerrit.asterisk.org:29418/asterisk refs/changes/32/1232/1

diff --git a/res/res_pjsip.c b/res/res_pjsip.c
index 6f79ebd..9726de9 100644
--- a/res/res_pjsip.c
+++ b/res/res_pjsip.c
@@ -2599,7 +2599,8 @@
 	if (sip_dialog_create_from(pool, &from, endpoint ? endpoint->fromuser : NULL,
 				endpoint ? endpoint->fromdomain : NULL, &remote_uri, &selector)) {
 		ast_log(LOG_ERROR, "Unable to create From header for %.*s request to endpoint %s\n",
-				(int) pj_strlen(&method->name), pj_strbuf(&method->name), ast_sorcery_object_get_id(endpoint));
+				(int) pj_strlen(&method->name), pj_strbuf(&method->name),
+				endpoint ? ast_sorcery_object_get_id(endpoint) : "<none>");
 		pjsip_endpt_release_pool(ast_sip_get_pjsip_endpoint(), pool);
 		return -1;
 	}
@@ -2607,7 +2608,8 @@
 	if (pjsip_endpt_create_request(ast_sip_get_pjsip_endpoint(), method, &remote_uri,
 			&from, &remote_uri, &from, NULL, -1, NULL, tdata) != PJ_SUCCESS) {
 		ast_log(LOG_ERROR, "Unable to create outbound %.*s request to endpoint %s\n",
-				(int) pj_strlen(&method->name), pj_strbuf(&method->name), ast_sorcery_object_get_id(endpoint));
+				(int) pj_strlen(&method->name), pj_strbuf(&method->name),
+				endpoint ? ast_sorcery_object_get_id(endpoint) : "<none>");
 		pjsip_endpt_release_pool(ast_sip_get_pjsip_endpoint(), pool);
 		return -1;
 	}
diff --git a/res/res_pjsip/location.c b/res/res_pjsip/location.c
index 08f4d16..05c6ff7 100644
--- a/res/res_pjsip/location.c
+++ b/res/res_pjsip/location.c
@@ -243,6 +243,8 @@
 	pj_pool_t *pool;
 	pj_str_t contact_uri;
 	static const pj_str_t HCONTACT = { "Contact", 7 };
+	pjsip_contact_hdr *contact_hdr;
+	int rc = 0;
 
 	pool = pjsip_endpt_create_pool(ast_sip_get_pjsip_endpoint(), "Permanent Contact Validation", 256, 256);
 	if (!pool) {
@@ -250,13 +252,14 @@
 	}
 
 	pj_strdup2_with_null(pool, &contact_uri, value);
-	if (!pjsip_parse_hdr(pool, &HCONTACT, contact_uri.ptr, contact_uri.slen, NULL)) {
-		pjsip_endpt_release_pool(ast_sip_get_pjsip_endpoint(), pool);
-		return -1;
+	if (!(contact_hdr = pjsip_parse_hdr(pool, &HCONTACT, contact_uri.ptr, contact_uri.slen, NULL))
+		|| !(PJSIP_URI_SCHEME_IS_SIP(contact_hdr->uri)
+			|| PJSIP_URI_SCHEME_IS_SIPS(contact_hdr->uri))) {
+		rc = -1;
 	}
 
 	pjsip_endpt_release_pool(ast_sip_get_pjsip_endpoint(), pool);
-	return 0;
+	return rc;
 }
 
 static int permanent_uri_sort_fn(const void *obj_left, const void *obj_right, int flags)

-- 
To view, visit https://gerrit.asterisk.org/1232
To unsubscribe, visit https://gerrit.asterisk.org/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Ifc17d16a4923e1045d37fe51e43bbe29fa556ca2
Gerrit-PatchSet: 1
Gerrit-Project: asterisk
Gerrit-Branch: certified/13.1
Gerrit-Owner: Mark Michelson <mmichelson at digium.com>
Gerrit-Reviewer: George Joseph <george.joseph at fairview5.com>



More information about the asterisk-code-review mailing list