[Asterisk-code-review] AST-2021-002: Remote crash possible when negotiating T.38 (asterisk[16.16])

Joshua Colp asteriskteam at digium.com
Thu Feb 18 10:23:01 CST 2021


Joshua Colp has uploaded this change for review. ( https://gerrit.asterisk.org/c/asterisk/+/15473 )


Change subject: AST-2021-002: Remote crash possible when negotiating T.38
......................................................................

AST-2021-002: Remote crash possible when negotiating T.38

When an endpoint requests to re-negotiate for fax and the incoming
re-invite is received prior to Asterisk sending out the 200 OK for
the initial invite the re-invite gets delayed. When Asterisk does
finally send the re-inivite the SDP includes streams for both audio
and T.38.

This happens because when the pending topology and active topologies
differ (pending stream is not in the active) in the delayed scenario
the pending stream is appended to the active topology. However, in
the fax case the pending stream should replace the active.

This patch makes it so when a delay occurs during fax negotiation,
to or from, the audio stream is replaced by the T.38 stream, or vice
versa instead of being appended.

Further when Asterisk sent the re-invite with both audio and T.38,
and the endpoint responded with a declined T.38 stream then Asterisk
would crash when attempting to change the T.38 state.

This patch also puts in a check that ensures the media state has a
valid fax session (associated udptl object) before changing the
T.38 state internally.

ASTERISK-29203 #close

Change-Id: I407f4fa58651255b6a9030d34fd6578cf65ccf09
---
M res/res_pjsip_session.c
M res/res_pjsip_t38.c
2 files changed, 17 insertions(+), 1 deletion(-)



  git pull ssh://gerrit.asterisk.org:29418/asterisk refs/changes/73/15473/1

diff --git a/res/res_pjsip_session.c b/res/res_pjsip_session.c
index 1025e15..044bdbc 100644
--- a/res/res_pjsip_session.c
+++ b/res/res_pjsip_session.c
@@ -2268,7 +2268,14 @@
 					ast_sip_session_get_name(session));
 			}
 
-			if (active_media_state && active_media_state->topology) {
+			/*
+			 * Attempt to resolve only if objects are available, and it's not
+			 * switching to or from an image type.
+			 */
+			if (active_media_state && active_media_state->topology &&
+				(!active_media_state->default_session[AST_MEDIA_TYPE_IMAGE] ==
+				 !pending_media_state->default_session[AST_MEDIA_TYPE_IMAGE])) {
+
 				struct ast_sip_session_media_state *new_pending_state;
 				/*
 				 * We need to check if the passed in active and pending states are equal
diff --git a/res/res_pjsip_t38.c b/res/res_pjsip_t38.c
index 9c9569b..63abce5 100644
--- a/res/res_pjsip_t38.c
+++ b/res/res_pjsip_t38.c
@@ -320,6 +320,15 @@
 		int index;
 
 		session_media = session->active_media_state->default_session[AST_MEDIA_TYPE_IMAGE];
+
+		/*
+		 * If there is a session_media object, but no udptl object available
+		 * then it's assumed the stream was declined.
+		 */
+		if (!session_media->udptl) {
+			session_media = NULL;
+		}
+
 		if (!session_media) {
 			ast_log(LOG_WARNING, "Received %d response to T.38 re-invite on '%s' but no active session media\n",
 					status.code, session->channel ? ast_channel_name(session->channel) : "unknown channel");

-- 
To view, visit https://gerrit.asterisk.org/c/asterisk/+/15473
To unsubscribe, or for help writing mail filters, visit https://gerrit.asterisk.org/settings

Gerrit-Project: asterisk
Gerrit-Branch: 16.16
Gerrit-Change-Id: I407f4fa58651255b6a9030d34fd6578cf65ccf09
Gerrit-Change-Number: 15473
Gerrit-PatchSet: 1
Gerrit-Owner: Joshua Colp <jcolp at sangoma.com>
Gerrit-MessageType: newchange
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-code-review/attachments/20210218/2d4e7b5d/attachment-0001.html>


More information about the asterisk-code-review mailing list