[asterisk-commits] mjordan: branch 13 r424619 - in /branches/13: ./ res/ res/res_pjsip/

SVN commits to the Asterisk project asterisk-commits at lists.digium.com
Sun Oct 5 19:31:17 CDT 2014


Author: mjordan
Date: Sun Oct  5 19:31:15 2014
New Revision: 424619

URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=424619
Log:
res_pjsip: Prevent crashes when PJPROJECT presents an rdata with no message

When a message that exceeds the PJ_MAX_PKT_SIZE is sent over a reliable
transport, it is possible (although it shouldn't occur) for pjproject to pass
up an rdata object with a NULL msg in the msg_info. Needless to say, things
that attempt to dereference this are in for a rough ride.

In particular, this caused crashes in three different locations, all of which
are 'low level' enough to intercept an rdata object early in processing:

(1) res_pjsip_logger
(2) res_hep_pjsip
(3) res_pjsip/distributor

Anything that can intercept an rdata object before res_pjsip/distributor should
be defensive when looking at the received packet.

#SIPit31

ASTERISK-24369 #close
Reported by: Matt Jordan
........

Merged revisions 424618 from http://svn.asterisk.org/svn/asterisk/branches/12

Modified:
    branches/13/   (props changed)
    branches/13/res/res_hep_pjsip.c
    branches/13/res/res_pjsip/pjsip_distributor.c
    branches/13/res/res_pjsip_logger.c

Propchange: branches/13/
------------------------------------------------------------------------------
Binary property 'branch-12-merged' - no diff available.

Modified: branches/13/res/res_hep_pjsip.c
URL: http://svnview.digium.com/svn/asterisk/branches/13/res/res_hep_pjsip.c?view=diff&rev=424619&r1=424618&r2=424619
==============================================================================
--- branches/13/res/res_hep_pjsip.c (original)
+++ branches/13/res/res_hep_pjsip.c Sun Oct  5 19:31:15 2014
@@ -121,8 +121,12 @@
 		return PJ_SUCCESS;
 	}
 
-	pj_sockaddr_print(&rdata->tp_info.transport->local_addr, local_buf, sizeof(local_buf), 3);
-	pj_sockaddr_print(&rdata->pkt_info.src_addr, remote_buf, sizeof(remote_buf), 3);
+	if (rdata->tp_info.transport->addr_len) {
+		pj_sockaddr_print(&rdata->tp_info.transport->local_addr, local_buf, sizeof(local_buf), 3);
+	}
+	if (rdata->pkt_info.src_addr_len) {
+		pj_sockaddr_print(&rdata->pkt_info.src_addr, remote_buf, sizeof(remote_buf), 3);
+	}
 
 	uuid = assign_uuid(&rdata->msg_info.cid->id, &rdata->msg_info.to->tag, &rdata->msg_info.from->tag);
 	if (!uuid) {

Modified: branches/13/res/res_pjsip/pjsip_distributor.c
URL: http://svnview.digium.com/svn/asterisk/branches/13/res/res_pjsip/pjsip_distributor.c?view=diff&rev=424619&r1=424618&r2=424619
==============================================================================
--- branches/13/res/res_pjsip/pjsip_distributor.c (original)
+++ branches/13/res/res_pjsip/pjsip_distributor.c Sun Oct  5 19:31:15 2014
@@ -99,6 +99,10 @@
 	pjsip_dialog *dlg;
 	pj_str_t *local_tag;
 	pj_str_t *remote_tag;
+
+	if (!rdata->msg_info.msg) {
+		return NULL;
+	}
 
 	if (rdata->msg_info.msg->type == PJSIP_REQUEST_MSG) {
 		local_tag = &rdata->msg_info.to->tag;

Modified: branches/13/res/res_pjsip_logger.c
URL: http://svnview.digium.com/svn/asterisk/branches/13/res/res_pjsip_logger.c?view=diff&rev=424619&r1=424618&r2=424619
==============================================================================
--- branches/13/res/res_pjsip_logger.c (original)
+++ branches/13/res/res_pjsip_logger.c Sun Oct  5 19:31:15 2014
@@ -118,6 +118,10 @@
 static pj_bool_t logging_on_rx_msg(pjsip_rx_data *rdata)
 {
 	if (!pjsip_log_test_addr(rdata->pkt_info.src_name, rdata->pkt_info.src_port)) {
+		return PJ_FALSE;
+	}
+
+	if (!rdata->msg_info.msg) {
 		return PJ_FALSE;
 	}
 




More information about the asterisk-commits mailing list