[asterisk-commits] mjordan: branch 12 r424618 - in /branches/12/res: ./ res_pjsip/
SVN commits to the Asterisk project
asterisk-commits at lists.digium.com
Sun Oct 5 19:30:38 CDT 2014
Author: mjordan
Date: Sun Oct 5 19:30:34 2014
New Revision: 424618
URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=424618
Log:
res_pjsip: Prevent crashes when PJPROJECT presents an rdata with no message
When a message that exceeds the PJ_MAX_PKT_SIZE is sent over a reliable
transport, it is possible (although it shouldn't occur) for pjproject to pass
up an rdata object with a NULL msg in the msg_info. Needless to say, things
that attempt to dereference this are in for a rough ride.
In particular, this caused crashes in three different locations, all of which
are 'low level' enough to intercept an rdata object early in processing:
(1) res_pjsip_logger
(2) res_hep_pjsip
(3) res_pjsip/distributor
Anything that can intercept an rdata object before res_pjsip/distributor should
be defensive when looking at the received packet.
#SIPit31
ASTERISK-24369 #close
Reported by: Matt Jordan
Modified:
branches/12/res/res_hep_pjsip.c
branches/12/res/res_pjsip/pjsip_distributor.c
branches/12/res/res_pjsip_logger.c
Modified: branches/12/res/res_hep_pjsip.c
URL: http://svnview.digium.com/svn/asterisk/branches/12/res/res_hep_pjsip.c?view=diff&rev=424618&r1=424617&r2=424618
==============================================================================
--- branches/12/res/res_hep_pjsip.c (original)
+++ branches/12/res/res_hep_pjsip.c Sun Oct 5 19:30:34 2014
@@ -122,8 +122,12 @@
return PJ_SUCCESS;
}
- pj_sockaddr_print(&rdata->tp_info.transport->local_addr, local_buf, sizeof(local_buf), 3);
- pj_sockaddr_print(&rdata->pkt_info.src_addr, remote_buf, sizeof(remote_buf), 3);
+ if (rdata->tp_info.transport->addr_len) {
+ pj_sockaddr_print(&rdata->tp_info.transport->local_addr, local_buf, sizeof(local_buf), 3);
+ }
+ if (rdata->pkt_info.src_addr_len) {
+ pj_sockaddr_print(&rdata->pkt_info.src_addr, remote_buf, sizeof(remote_buf), 3);
+ }
uuid = assign_uuid(&rdata->msg_info.cid->id, &rdata->msg_info.to->tag, &rdata->msg_info.from->tag);
if (!uuid) {
Modified: branches/12/res/res_pjsip/pjsip_distributor.c
URL: http://svnview.digium.com/svn/asterisk/branches/12/res/res_pjsip/pjsip_distributor.c?view=diff&rev=424618&r1=424617&r2=424618
==============================================================================
--- branches/12/res/res_pjsip/pjsip_distributor.c (original)
+++ branches/12/res/res_pjsip/pjsip_distributor.c Sun Oct 5 19:30:34 2014
@@ -99,6 +99,10 @@
pjsip_dialog *dlg;
pj_str_t *local_tag;
pj_str_t *remote_tag;
+
+ if (!rdata->msg_info.msg) {
+ return NULL;
+ }
if (rdata->msg_info.msg->type == PJSIP_REQUEST_MSG) {
local_tag = &rdata->msg_info.to->tag;
Modified: branches/12/res/res_pjsip_logger.c
URL: http://svnview.digium.com/svn/asterisk/branches/12/res/res_pjsip_logger.c?view=diff&rev=424618&r1=424617&r2=424618
==============================================================================
--- branches/12/res/res_pjsip_logger.c (original)
+++ branches/12/res/res_pjsip_logger.c Sun Oct 5 19:30:34 2014
@@ -118,6 +118,10 @@
static pj_bool_t logging_on_rx_msg(pjsip_rx_data *rdata)
{
if (!pjsip_log_test_addr(rdata->pkt_info.src_name, rdata->pkt_info.src_port)) {
+ return PJ_FALSE;
+ }
+
+ if (!rdata->msg_info.msg) {
return PJ_FALSE;
}
More information about the asterisk-commits
mailing list