[Asterisk-code-review] chan_sip: Fix crash when accessing RURI before initiating outgoing call (asterisk[16])

Friendly Automation asteriskteam at digium.com
Mon Dec 13 13:11:11 CST 2021 

Friendly Automation has submitted this change. ( https://gerrit.asterisk.org/c/asterisk/+/17664 )

Change subject: chan_sip: Fix crash when accessing RURI before initiating outgoing call
......................................................................

chan_sip: Fix crash when accessing RURI before initiating outgoing call

Attempting to access ${CHANNEL(ruri)} in a pre-dial handler before
initiating an outgoing call will cause Asterisk to crash. This is
because a null field is accessed, resulting in an offset from null and
subsequent memory access violation.

Since RURI is not guaranteed to exist, we now check if the base
pointer is non-null before calculating an offset.

ASTERISK-29772

Change-Id: Icd3b02f07256bbe6615854af5717074087b95a83
---
M channels/sip/dialplan_functions.c
1 file changed, 6 insertions(+), 2 deletions(-)

Approvals:
  George Joseph: Looks good to me, approved
  Friendly Automation: Approved for Submit



diff --git a/channels/sip/dialplan_functions.c b/channels/sip/dialplan_functions.c
index 09804ce..f3488b4 100644
--- a/channels/sip/dialplan_functions.c
+++ b/channels/sip/dialplan_functions.c
@@ -166,8 +166,12 @@
 	} else if (!strcasecmp(args.param, "uri")) {
 		ast_copy_string(buf, p->uri, buflen);
 	} else if (!strcasecmp(args.param, "ruri")) {
-		char *tmpruri = REQ_OFFSET_TO_STR(&p->initreq, rlpart2);
-		ast_copy_string(buf, tmpruri, buflen);
+		if (p->initreq.data) {
+			char *tmpruri = REQ_OFFSET_TO_STR(&p->initreq, rlpart2);
+			ast_copy_string(buf, tmpruri, buflen);
+		} else {
+			return -1;
+		}
 	} else if (!strcasecmp(args.param, "useragent")) {
 		ast_copy_string(buf, p->useragent, buflen);
 	} else if (!strcasecmp(args.param, "peername")) {

-- 
To view, visit https://gerrit.asterisk.org/c/asterisk/+/17664
To unsubscribe, or for help writing mail filters, visit https://gerrit.asterisk.org/settings

Gerrit-Project: asterisk
Gerrit-Branch: 16
Gerrit-Change-Id: Icd3b02f07256bbe6615854af5717074087b95a83
Gerrit-Change-Number: 17664
Gerrit-PatchSet: 2
Gerrit-Owner: N A <mail at interlinked.x10host.com>
Gerrit-Reviewer: Friendly Automation
Gerrit-Reviewer: George Joseph <gjoseph at digium.com>
Gerrit-MessageType: merged
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-code-review/attachments/20211213/f5960255/attachment.html>

More information about the asterisk-code-review mailing list