[Asterisk-code-review] pjsip: Prevent invalid memory access when attempting to contact a non... (asterisk[16])

Friendly Automation asteriskteam at digium.com
Mon Jun 8 09:42:48 CDT 2020 

Friendly Automation has submitted this change. ( https://gerrit.asterisk.org/c/asterisk/+/14498 )

Change subject: pjsip: Prevent invalid memory access when attempting to contact a non-sip URI
......................................................................

pjsip: Prevent invalid memory access when attempting to contact a non-sip URI

You cannot cast a pjsip_uri to a pjsip_sip_uri using pjsip_uri_get_uri,
without checking that it's a PJSIP_URI_SCHEME_IS_SIP(S).

ASTERISK-28936

Change-Id: I9f572b3677e4730458e9402719e580f8681afe2a
---
M res/res_pjsip.c
1 file changed, 6 insertions(+), 0 deletions(-)

Approvals:
  Joshua Colp: Looks good to me, but someone else must approve
  Sean Bright: Looks good to me, but someone else must approve
  George Joseph: Looks good to me, approved
  Friendly Automation: Approved for Submit



diff --git a/res/res_pjsip.c b/res/res_pjsip.c
index 0043f2a..521a8f5 100644
--- a/res/res_pjsip.c
+++ b/res/res_pjsip.c
@@ -3545,6 +3545,12 @@
 	pj_cstr(&target_uri, uri);
 
 	res = pjsip_dlg_create_uac(pjsip_ua_instance(), &local_uri, NULL, &remote_uri, &target_uri, &dlg);
+	if (res == PJ_SUCCESS && !(PJSIP_URI_SCHEME_IS_SIP(dlg->target) || PJSIP_URI_SCHEME_IS_SIPS(dlg->target))) {
+		/* dlg->target is a pjsip_other_uri, but it's assumed to be a
+		 * pjsip_sip_uri below. Fail fast. */
+		res = PJSIP_EINVALIDURI;
+		pjsip_dlg_terminate(dlg);
+	}
 	if (res != PJ_SUCCESS) {
 		if (res == PJSIP_EINVALIDURI) {
 			ast_log(LOG_ERROR,

-- 
To view, visit https://gerrit.asterisk.org/c/asterisk/+/14498
To unsubscribe, or for help writing mail filters, visit https://gerrit.asterisk.org/settings

Gerrit-Project: asterisk
Gerrit-Branch: 16
Gerrit-Change-Id: I9f572b3677e4730458e9402719e580f8681afe2a
Gerrit-Change-Number: 14498
Gerrit-PatchSet: 2
Gerrit-Owner: Walter Doekes <walter+asterisk at wjd.nu>
Gerrit-Reviewer: Friendly Automation
Gerrit-Reviewer: George Joseph <gjoseph at digium.com>
Gerrit-Reviewer: Joshua Colp <jcolp at sangoma.com>
Gerrit-Reviewer: Sean Bright <sean.bright at gmail.com>
Gerrit-MessageType: merged
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-code-review/attachments/20200608/1de47ec1/attachment.html>

More information about the asterisk-code-review mailing list