[Asterisk-code-review] /res pjsip refer.c: Fix seg fault in process of Refer-to hea... (asterisk[master])

Sergio Medina Toledo asteriskteam at digium.com
Thu Mar 3 05:00:43 CST 2016 

Sergio Medina Toledo has uploaded a new change for review.

  https://gerrit.asterisk.org/2348

Change subject: /res_pjsip_refer.c: Fix seg fault in process of Refer-to header.
......................................................................

/res_pjsip_refer.c: Fix seg fault in process of Refer-to header.

    In an incoming Refer request when the "Refer-to" header is parsed and
    extarcted the uri, that uri is parsed by "pjsip_parse_uri" fuction, the
    second parameter of that function is the uri NULL terminated but the uri
    may not come NULL terminated so before this fix the NULL terminator was
    putted in a section of memory where it shouldn't be, so it can produce
    a segmentation fault or a write of a 0 byte in a section of memory that
    it shouldn't write modifiying another variable. Now the uri is NULL
    terminated safely coping the uri to a new chunk of memory with the
    correct size to be NULL terminated.

    ASTERISK-25814 #close

Change-Id: I32565496684a5a49c3278fce06474b8c94b37342
---
M res/res_pjsip_refer.c
1 file changed, 9 insertions(+), 9 deletions(-)


  git pull ssh://gerrit.asterisk.org:29418/asterisk refs/changes/48/2348/1

diff --git a/res/res_pjsip_refer.c b/res/res_pjsip_refer.c
index f89f901..7578855 100644
--- a/res/res_pjsip_refer.c
+++ b/res/res_pjsip_refer.c
@@ -978,6 +978,7 @@
 {
 	pjsip_generic_string_hdr *refer_to;
 	char *uri;
+	size_t uri_size = 0;
 	pjsip_uri *target;
 	pjsip_sip_uri *target_uri;
 	RAII_VAR(struct refer_progress *, progress, NULL, ao2_cleanup);
@@ -1011,20 +1012,19 @@
 		return 0;
 	}
 
-	/* This is done on purpose (and is safe) - it's done so that the value passed to
-	 * pjsip_parse_uri is NULL terminated as required
+	/* The ast_copy_pj_str to uri is needed because it puts the NULL terminator to the uri
+	 * as pjsip_parse_uri require a NULL terminated uri
 	 */
-	uri = refer_to->hvalue.ptr;
-	uri[refer_to->hvalue.slen] = '\0';
+	
+	uri_size = pj_strlen(&refer_to->hvalue) + 1;
+	uri = ast_alloca(uri_size);
+	ast_copy_pj_str(uri, &refer_to->hvalue, uri_size);
 
-	target = pjsip_parse_uri(rdata->tp_info.pool, refer_to->hvalue.ptr, refer_to->hvalue.slen, 0);
+	target = pjsip_parse_uri(rdata->tp_info.pool, uri, uri_size, 0);
+	
 	if (!target
 		|| (!PJSIP_URI_SCHEME_IS_SIP(target)
 			&& !PJSIP_URI_SCHEME_IS_SIPS(target))) {
-		size_t uri_size = pj_strlen(&refer_to->hvalue) + 1;
-		char *uri = ast_alloca(uri_size);
-
-		ast_copy_pj_str(uri, &refer_to->hvalue, uri_size);
 
 		pjsip_dlg_respond(session->inv_session->dlg, rdata, 400, NULL, NULL, NULL);
 		ast_debug(3, "Received a REFER without a parseable Refer-To ('%s') on channel '%s' from endpoint '%s'\n",

-- 
To view, visit https://gerrit.asterisk.org/2348
To unsubscribe, visit https://gerrit.asterisk.org/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I32565496684a5a49c3278fce06474b8c94b37342
Gerrit-PatchSet: 1
Gerrit-Project: asterisk
Gerrit-Branch: master
Gerrit-Owner: Sergio Medina Toledo <lumasepa at gmail.com>

More information about the asterisk-code-review mailing list