[asterisk-commits] mjordan: branch 12 r424618 - in /branches/12/res: ./ res_pjsip/

SVN commits to the Asterisk project asterisk-commits at lists.digium.com
Sun Oct 5 19:30:38 CDT 2014


Author: mjordan
Date: Sun Oct  5 19:30:34 2014
New Revision: 424618

URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=424618
Log:
res_pjsip: Prevent crashes when PJPROJECT presents an rdata with no message

When a message that exceeds the PJ_MAX_PKT_SIZE is sent over a reliable
transport, it is possible (although it shouldn't occur) for pjproject to pass
up an rdata object with a NULL msg in the msg_info. Needless to say, things
that attempt to dereference this are in for a rough ride.

In particular, this caused crashes in three different locations, all of which
are 'low level' enough to intercept an rdata object early in processing:

(1) res_pjsip_logger
(2) res_hep_pjsip
(3) res_pjsip/distributor

Anything that can intercept an rdata object before res_pjsip/distributor should
be defensive when looking at the received packet.

#SIPit31

ASTERISK-24369 #close
Reported by: Matt Jordan


Modified:
    branches/12/res/res_hep_pjsip.c
    branches/12/res/res_pjsip/pjsip_distributor.c
    branches/12/res/res_pjsip_logger.c

Modified: branches/12/res/res_hep_pjsip.c
URL: http://svnview.digium.com/svn/asterisk/branches/12/res/res_hep_pjsip.c?view=diff&rev=424618&r1=424617&r2=424618
==============================================================================
--- branches/12/res/res_hep_pjsip.c (original)
+++ branches/12/res/res_hep_pjsip.c Sun Oct  5 19:30:34 2014
@@ -122,8 +122,12 @@
 		return PJ_SUCCESS;
 	}
 
-	pj_sockaddr_print(&rdata->tp_info.transport->local_addr, local_buf, sizeof(local_buf), 3);
-	pj_sockaddr_print(&rdata->pkt_info.src_addr, remote_buf, sizeof(remote_buf), 3);
+	if (rdata->tp_info.transport->addr_len) {
+		pj_sockaddr_print(&rdata->tp_info.transport->local_addr, local_buf, sizeof(local_buf), 3);
+	}
+	if (rdata->pkt_info.src_addr_len) {
+		pj_sockaddr_print(&rdata->pkt_info.src_addr, remote_buf, sizeof(remote_buf), 3);
+	}
 
 	uuid = assign_uuid(&rdata->msg_info.cid->id, &rdata->msg_info.to->tag, &rdata->msg_info.from->tag);
 	if (!uuid) {

Modified: branches/12/res/res_pjsip/pjsip_distributor.c
URL: http://svnview.digium.com/svn/asterisk/branches/12/res/res_pjsip/pjsip_distributor.c?view=diff&rev=424618&r1=424617&r2=424618
==============================================================================
--- branches/12/res/res_pjsip/pjsip_distributor.c (original)
+++ branches/12/res/res_pjsip/pjsip_distributor.c Sun Oct  5 19:30:34 2014
@@ -99,6 +99,10 @@
 	pjsip_dialog *dlg;
 	pj_str_t *local_tag;
 	pj_str_t *remote_tag;
+
+	if (!rdata->msg_info.msg) {
+		return NULL;
+	}
 
 	if (rdata->msg_info.msg->type == PJSIP_REQUEST_MSG) {
 		local_tag = &rdata->msg_info.to->tag;

Modified: branches/12/res/res_pjsip_logger.c
URL: http://svnview.digium.com/svn/asterisk/branches/12/res/res_pjsip_logger.c?view=diff&rev=424618&r1=424617&r2=424618
==============================================================================
--- branches/12/res/res_pjsip_logger.c (original)
+++ branches/12/res/res_pjsip_logger.c Sun Oct  5 19:30:34 2014
@@ -118,6 +118,10 @@
 static pj_bool_t logging_on_rx_msg(pjsip_rx_data *rdata)
 {
 	if (!pjsip_log_test_addr(rdata->pkt_info.src_name, rdata->pkt_info.src_port)) {
+		return PJ_FALSE;
+	}
+
+	if (!rdata->msg_info.msg) {
 		return PJ_FALSE;
 	}
 




More information about the asterisk-commits mailing list