[Asterisk-code-review] /res pjsip refer.c: Fix seg fault in process of Refer-to hea... (asterisk[master])
Sergio Medina Toledo
asteriskteam at digium.com
Thu Mar 3 05:00:43 CST 2016
Sergio Medina Toledo has uploaded a new change for review.
https://gerrit.asterisk.org/2348
Change subject: /res_pjsip_refer.c: Fix seg fault in process of Refer-to header.
......................................................................
/res_pjsip_refer.c: Fix seg fault in process of Refer-to header.
In an incoming Refer request when the "Refer-to" header is parsed and
extarcted the uri, that uri is parsed by "pjsip_parse_uri" fuction, the
second parameter of that function is the uri NULL terminated but the uri
may not come NULL terminated so before this fix the NULL terminator was
putted in a section of memory where it shouldn't be, so it can produce
a segmentation fault or a write of a 0 byte in a section of memory that
it shouldn't write modifiying another variable. Now the uri is NULL
terminated safely coping the uri to a new chunk of memory with the
correct size to be NULL terminated.
ASTERISK-25814 #close
Change-Id: I32565496684a5a49c3278fce06474b8c94b37342
---
M res/res_pjsip_refer.c
1 file changed, 9 insertions(+), 9 deletions(-)
git pull ssh://gerrit.asterisk.org:29418/asterisk refs/changes/48/2348/1
diff --git a/res/res_pjsip_refer.c b/res/res_pjsip_refer.c
index f89f901..7578855 100644
--- a/res/res_pjsip_refer.c
+++ b/res/res_pjsip_refer.c
@@ -978,6 +978,7 @@
{
pjsip_generic_string_hdr *refer_to;
char *uri;
+ size_t uri_size = 0;
pjsip_uri *target;
pjsip_sip_uri *target_uri;
RAII_VAR(struct refer_progress *, progress, NULL, ao2_cleanup);
@@ -1011,20 +1012,19 @@
return 0;
}
- /* This is done on purpose (and is safe) - it's done so that the value passed to
- * pjsip_parse_uri is NULL terminated as required
+ /* The ast_copy_pj_str to uri is needed because it puts the NULL terminator to the uri
+ * as pjsip_parse_uri require a NULL terminated uri
*/
- uri = refer_to->hvalue.ptr;
- uri[refer_to->hvalue.slen] = '\0';
+
+ uri_size = pj_strlen(&refer_to->hvalue) + 1;
+ uri = ast_alloca(uri_size);
+ ast_copy_pj_str(uri, &refer_to->hvalue, uri_size);
- target = pjsip_parse_uri(rdata->tp_info.pool, refer_to->hvalue.ptr, refer_to->hvalue.slen, 0);
+ target = pjsip_parse_uri(rdata->tp_info.pool, uri, uri_size, 0);
+
if (!target
|| (!PJSIP_URI_SCHEME_IS_SIP(target)
&& !PJSIP_URI_SCHEME_IS_SIPS(target))) {
- size_t uri_size = pj_strlen(&refer_to->hvalue) + 1;
- char *uri = ast_alloca(uri_size);
-
- ast_copy_pj_str(uri, &refer_to->hvalue, uri_size);
pjsip_dlg_respond(session->inv_session->dlg, rdata, 400, NULL, NULL, NULL);
ast_debug(3, "Received a REFER without a parseable Refer-To ('%s') on channel '%s' from endpoint '%s'\n",
--
To view, visit https://gerrit.asterisk.org/2348
To unsubscribe, visit https://gerrit.asterisk.org/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I32565496684a5a49c3278fce06474b8c94b37342
Gerrit-PatchSet: 1
Gerrit-Project: asterisk
Gerrit-Branch: master
Gerrit-Owner: Sergio Medina Toledo <lumasepa at gmail.com>
More information about the asterisk-code-review
mailing list