[Asterisk-code-review] pjsip: Prevent invalid memory access when attempting to contact a non... (asterisk[13])

[Walter Doekes]

Walter Doekes has uploaded this change for review. ( https://gerrit.asterisk.org/c/asterisk/+/14502 )


Change subject: pjsip: Prevent invalid memory access when attempting to contact a non-sip URI
......................................................................

pjsip: Prevent invalid memory access when attempting to contact a non-sip URI

You cannot cast a pjsip_uri to a pjsip_sip_uri using pjsip_uri_get_uri,
without checking that it's a PJSIP_URI_SCHEME_IS_SIP(S).

ASTERISK-28936

Change-Id: I9f572b3677e4730458e9402719e580f8681afe2a
---
M res/res_pjsip.c
1 file changed, 6 insertions(+), 0 deletions(-)



  git pull ssh://gerrit.asterisk.org:29418/asterisk refs/changes/02/14502/1

diff --git a/res/res_pjsip.c b/res/res_pjsip.c
index a595749..0b7b634 100644
--- a/res/res_pjsip.c
+++ b/res/res_pjsip.c
@@ -3327,6 +3327,12 @@
 	pj_cstr(&target_uri, uri);
 
 	res = pjsip_dlg_create_uac(pjsip_ua_instance(), &local_uri, NULL, &remote_uri, &target_uri, &dlg);
+	if (res == PJ_SUCCESS && !(PJSIP_URI_SCHEME_IS_SIP(dlg->target) || PJSIP_URI_SCHEME_IS_SIPS(dlg->target))) {
+		/* dlg->target is a pjsip_other_uri, but it's assumed to be a
+		 * pjsip_sip_uri below. Fail fast. */
+		res = PJSIP_EINVALIDURI;
+		pjsip_dlg_terminate(dlg);
+	}
 	if (res != PJ_SUCCESS) {
 		if (res == PJSIP_EINVALIDURI) {
 			ast_log(LOG_ERROR,

-- 
To view, visit https://gerrit.asterisk.org/c/asterisk/+/14502
To unsubscribe, or for help writing mail filters, visit https://gerrit.asterisk.org/settings

Gerrit-Project: asterisk
Gerrit-Branch: 13
Gerrit-Change-Id: I9f572b3677e4730458e9402719e580f8681afe2a
Gerrit-Change-Number: 14502
Gerrit-PatchSet: 1
Gerrit-Owner: Walter Doekes <walter+asterisk at wjd.nu>
Gerrit-MessageType: newchange
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-code-review/attachments/20200605/304bbe02/attachment.html>