[asterisk-dev] chan_sip crash

Jared Mauch jared at puck.nether.net
Fri Jun 10 11:30:03 CDT 2011

	We've seen a chan_sip crash a few times where the contact field
appears malformed from some clients.  if c is NULL, the remove_uri_parameters
function will cause the process to crash when it calls strchr.

	This check solves it and we have been operating with it for
several days without trouble on a "fair" volume system.  (several thousands
of calls with 200+ sip peers).

	We see UDP packet corruption from this peer often and haven't figured
out what part of the network is causing it, but it triggered this issue for us.

	It may also make sense to  put the check in remove_uri_parameters
instead, i'm not wedded to this fix but it should be included.

- Jared

diff -ru asterisk- asterisk-
--- asterisk-        2011-05-20 19:28:16.000000000 +0000
+++ asterisk-    2011-06-06 16:33:46.000000000 +0000
@@ -11300,7 +11300,8 @@
        ast_copy_string(stripped, get_header(req, "Contact"), sizeof(stripped));
        c = get_in_brackets(stripped);
        /* Cut the URI at the at sign after the @, not in the username part */
-       c = remove_uri_parameters(c);
+       if (c)
+               c = remove_uri_parameters(c);
        if (!ast_strlen_zero(c)) {
                ast_string_field_set(p, uri, c);

-- snip --

Use this to test if your strchr will segfault if passed NULL:

#include <string.h>
#include <unistd.h>

	char *c = NULL;
	char *retval;

	retval = strchr(c, '@');
	printf("OK, No problems!\n");

Jared Mauch  | pgp key available via finger from jared at puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.

More information about the asterisk-dev mailing list