[asterisk-commits] res pjsip: Copy default from user to avoid crash. (asterisk[13])

[SVN commits to the Asterisk project]

Joshua Colp has submitted this change and it was merged.

Change subject: res_pjsip: Copy default_from_user to avoid crash.
......................................................................


res_pjsip: Copy default_from_user to avoid crash.

The default_from_user retrieval function was pulling the
default_from_user from the global configuration struct in an unsafe way.
If using a database as a backend configuration store, the global
configuration struct is short-lived, so grabbing a pointer from it
results in referencing freed memory.

The fix here is to copy the default_from_user value out of the global
configuration struct.

Thanks go to John Hardin for discovering this problem and proposing the
patch on which this fix is based.

ASTERISK-25390 #close
Reported by Mark Michelson

Change-Id: I6b96067a495c1259da768f4012d44e03e7c6148c
---
M include/asterisk/res_pjsip.h
M res/res_pjsip.c
M res/res_pjsip/config_global.c
3 files changed, 12 insertions(+), 11 deletions(-)

Approvals:
  Richard Mudgett: Looks good to me, but someone else must approve
  Anonymous Coward #1000019: Verified
  Joshua Colp: Looks good to me, approved



diff --git a/include/asterisk/res_pjsip.h b/include/asterisk/res_pjsip.h
index 4f3fadc..a36935d 100644
--- a/include/asterisk/res_pjsip.h
+++ b/include/asterisk/res_pjsip.h
@@ -2046,9 +2046,11 @@
  * is no better option (such as an endpoint-configured from_user or
  * caller ID number).
  *
- * \retval The global default_from_user value.
+ * \param[out] from_user The default from user
+ * \param size The buffer size of from_user
+ * \return nothing
  */
-const char *ast_sip_get_default_from_user(void);
+void ast_sip_get_default_from_user(char *from_user, size_t size);
 
 /*! \brief Determines whether the res_pjsip module is loaded */
 #define CHECK_PJSIP_MODULE_LOADED()				\
diff --git a/res/res_pjsip.c b/res/res_pjsip.c
index 7afcb70..46edd31 100644
--- a/res/res_pjsip.c
+++ b/res/res_pjsip.c
@@ -2342,9 +2342,11 @@
 	pjsip_sip_uri *sip_uri;
 	pjsip_transport_type_e type = PJSIP_TRANSPORT_UNSPECIFIED;
 	int local_port;
+	char default_user[PJSIP_MAX_URL_SIZE];
 
 	if (ast_strlen_zero(user)) {
-		user = ast_sip_get_default_from_user();
+		ast_sip_get_default_from_user(default_user, sizeof(default_user));
+		user = default_user;
 	}
 
 	/* Parse the provided target URI so we can determine what transport it will end up using */
diff --git a/res/res_pjsip/config_global.c b/res/res_pjsip/config_global.c
index b348896..ef706f0 100644
--- a/res/res_pjsip/config_global.c
+++ b/res/res_pjsip/config_global.c
@@ -182,20 +182,17 @@
 	return time;
 }
 
-const char *ast_sip_get_default_from_user(void)
+void ast_sip_get_default_from_user(char *from_user, size_t size)
 {
-	const char *from_user;
 	struct global_config *cfg;
 
 	cfg = get_global_cfg();
 	if (!cfg) {
-		return DEFAULT_FROM_USER;
+		ast_copy_string(from_user, DEFAULT_FROM_USER, size);
+	} else {
+		ast_copy_string(from_user, cfg->default_from_user, size);
+		ao2_ref(cfg, -1);
 	}
-
-	from_user = cfg->default_from_user;
-	ao2_ref(cfg, -1);
-
-	return from_user;
 }
 
 /*!

-- 
To view, visit https://gerrit.asterisk.org/1235
To unsubscribe, visit https://gerrit.asterisk.org/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I6b96067a495c1259da768f4012d44e03e7c6148c
Gerrit-PatchSet: 1
Gerrit-Project: asterisk
Gerrit-Branch: 13
Gerrit-Owner: Mark Michelson <mmichelson at digium.com>
Gerrit-Reviewer: Anonymous Coward #1000019
Gerrit-Reviewer: Joshua Colp <jcolp at digium.com>
Gerrit-Reviewer: Mark Michelson <mmichelson at digium.com>
Gerrit-Reviewer: Richard Mudgett <rmudgett at digium.com>