<p>Friendly Automation has uploaded this change for <strong>review</strong>.</p><p><a href="https://gerrit.asterisk.org/c/asterisk/+/18138">View Change</a></p><pre style="font-family: monospace,monospace; white-space: pre-wrap;">AST-2022-005: pjproject - undefined behavior after freeing a dialog set<br><br>ASTERISK-29945 #close<br><br>Change-Id: Ia8ce6d82b115c82c1138747c72a0adcaa42b718c<br>---<br>A third-party/pjproject/patches/0171-dialog-set-free.patch<br>1 file changed, 114 insertions(+), 0 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">git pull ssh://gerrit.asterisk.org:29418/asterisk refs/changes/38/18138/1</pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/third-party/pjproject/patches/0171-dialog-set-free.patch b/third-party/pjproject/patches/0171-dialog-set-free.patch</span><br><span>new file mode 100644</span><br><span>index 0000000..50fa505</span><br><span>--- /dev/null</span><br><span>+++ b/third-party/pjproject/patches/0171-dialog-set-free.patch</span><br><span>@@ -0,0 +1,114 @@</span><br><span style="color: hsl(120, 100%, 40%);">+From db3235953baa56d2fb0e276ca510fefca751643f Mon Sep 17 00:00:00 2001</span><br><span style="color: hsl(120, 100%, 40%);">+From: Nanang Izzuddin <nanang@teluu.com></span><br><span style="color: hsl(120, 100%, 40%);">+Date: Mon, 21 Feb 2022 06:24:52 +0700</span><br><span style="color: hsl(120, 100%, 40%);">+Subject: [PATCH] Merge pull request from GHSA-ffff-m5fm-qm62</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+* Update pjsip_ua_unregister_dlg():</span><br><span style="color: hsl(120, 100%, 40%);">+- update the hash key if the dialog being unregistered is used as hash key.</span><br><span style="color: hsl(120, 100%, 40%);">+- add an assertion check to make sure that the dlg_set to be removed is valid (can be found in the hash table).</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+* Change hash key string comparison method.</span><br><span style="color: hsl(120, 100%, 40%);">+---</span><br><span style="color: hsl(120, 100%, 40%);">+ pjsip/src/pjsip/sip_ua_layer.c | 48 +++++++++++++++++++++++++++++-----</span><br><span style="color: hsl(120, 100%, 40%);">+ 1 file changed, 42 insertions(+), 6 deletions(-)</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+diff --git a/pjsip/src/pjsip/sip_ua_layer.c b/pjsip/src/pjsip/sip_ua_layer.c</span><br><span style="color: hsl(120, 100%, 40%);">+index 59c2524ba..5d79882a1 100644</span><br><span style="color: hsl(120, 100%, 40%);">+--- a/pjsip/src/pjsip/sip_ua_layer.c</span><br><span>++++ b/pjsip/src/pjsip/sip_ua_layer.c</span><br><span style="color: hsl(120, 100%, 40%);">+@@ -65,6 +65,9 @@ struct dlg_set</span><br><span style="color: hsl(120, 100%, 40%);">+ /* This is the buffer to store this entry in the hash table. */</span><br><span style="color: hsl(120, 100%, 40%);">+ pj_hash_entry_buf ht_entry;</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">++ /* Entry key in the hash table */</span><br><span style="color: hsl(120, 100%, 40%);">++ pj_str_t ht_key;</span><br><span style="color: hsl(120, 100%, 40%);">++</span><br><span style="color: hsl(120, 100%, 40%);">+ /* List of dialog in this dialog set. */</span><br><span style="color: hsl(120, 100%, 40%);">+ struct dlg_set_head dlg_list;</span><br><span style="color: hsl(120, 100%, 40%);">+ };</span><br><span style="color: hsl(120, 100%, 40%);">+@@ -327,6 +330,7 @@ PJ_DEF(pj_status_t) pjsip_ua_register_dlg( pjsip_user_agent *ua,</span><br><span style="color: hsl(120, 100%, 40%);">+ * Create the dialog set and add this dialog to it.</span><br><span style="color: hsl(120, 100%, 40%);">+ */</span><br><span style="color: hsl(120, 100%, 40%);">+ dlg_set = alloc_dlgset_node();</span><br><span style="color: hsl(120, 100%, 40%);">++ dlg_set->ht_key = dlg->local.info->tag;</span><br><span style="color: hsl(120, 100%, 40%);">+ pj_list_init(&dlg_set->dlg_list);</span><br><span style="color: hsl(120, 100%, 40%);">+ pj_list_push_back(&dlg_set->dlg_list, dlg);</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+@@ -334,8 +338,8 @@ PJ_DEF(pj_status_t) pjsip_ua_register_dlg( pjsip_user_agent *ua,</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ /* Register the dialog set in the hash table. */</span><br><span style="color: hsl(120, 100%, 40%);">+ pj_hash_set_np_lower(mod_ua.dlg_table, </span><br><span style="color: hsl(120, 100%, 40%);">+- dlg->local.info->tag.ptr,</span><br><span style="color: hsl(120, 100%, 40%);">+- (unsigned)dlg->local.info->tag.slen,</span><br><span style="color: hsl(120, 100%, 40%);">++ dlg_set->ht_key.ptr,</span><br><span style="color: hsl(120, 100%, 40%);">++ (unsigned)dlg_set->ht_key.slen,</span><br><span style="color: hsl(120, 100%, 40%);">+ dlg->local.tag_hval, dlg_set->ht_entry,</span><br><span style="color: hsl(120, 100%, 40%);">+ dlg_set);</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+@@ -345,14 +349,15 @@ PJ_DEF(pj_status_t) pjsip_ua_register_dlg( pjsip_user_agent *ua,</span><br><span style="color: hsl(120, 100%, 40%);">+ struct dlg_set *dlg_set;</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ dlg_set = alloc_dlgset_node();</span><br><span style="color: hsl(120, 100%, 40%);">++ dlg_set->ht_key = dlg->local.info->tag;</span><br><span style="color: hsl(120, 100%, 40%);">+ pj_list_init(&dlg_set->dlg_list);</span><br><span style="color: hsl(120, 100%, 40%);">+ pj_list_push_back(&dlg_set->dlg_list, dlg);</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ dlg->dlg_set = dlg_set;</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ pj_hash_set_np_lower(mod_ua.dlg_table, </span><br><span style="color: hsl(120, 100%, 40%);">+- dlg->local.info->tag.ptr,</span><br><span style="color: hsl(120, 100%, 40%);">+- (unsigned)dlg->local.info->tag.slen,</span><br><span style="color: hsl(120, 100%, 40%);">++ dlg_set->ht_key.ptr,</span><br><span style="color: hsl(120, 100%, 40%);">++ (unsigned)dlg_set->ht_key.slen,</span><br><span style="color: hsl(120, 100%, 40%);">+ dlg->local.tag_hval, dlg_set->ht_entry, dlg_set);</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+@@ -397,12 +402,43 @@ PJ_DEF(pj_status_t) pjsip_ua_unregister_dlg( pjsip_user_agent *ua,</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ /* If dialog list is empty, remove the dialog set from the hash table. */</span><br><span style="color: hsl(120, 100%, 40%);">+ if (pj_list_empty(&dlg_set->dlg_list)) {</span><br><span style="color: hsl(120, 100%, 40%);">+- pj_hash_set_lower(NULL, mod_ua.dlg_table, dlg->local.info->tag.ptr,</span><br><span style="color: hsl(120, 100%, 40%);">+- (unsigned)dlg->local.info->tag.slen, </span><br><span style="color: hsl(120, 100%, 40%);">++</span><br><span style="color: hsl(120, 100%, 40%);">++ /* Verify that the dialog set is valid */</span><br><span style="color: hsl(120, 100%, 40%);">++ pj_assert(pj_hash_get_lower(mod_ua.dlg_table, dlg_set->ht_key.ptr,</span><br><span style="color: hsl(120, 100%, 40%);">++ (unsigned)dlg_set->ht_key.slen,</span><br><span style="color: hsl(120, 100%, 40%);">++ &dlg->local.tag_hval) == dlg_set);</span><br><span style="color: hsl(120, 100%, 40%);">++</span><br><span style="color: hsl(120, 100%, 40%);">++ pj_hash_set_lower(NULL, mod_ua.dlg_table, dlg_set->ht_key.ptr,</span><br><span style="color: hsl(120, 100%, 40%);">++ (unsigned)dlg_set->ht_key.slen,</span><br><span style="color: hsl(120, 100%, 40%);">+ dlg->local.tag_hval, NULL);</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ /* Return dlg_set to free nodes. */</span><br><span style="color: hsl(120, 100%, 40%);">+ pj_list_push_back(&mod_ua.free_dlgset_nodes, dlg_set);</span><br><span style="color: hsl(120, 100%, 40%);">++ } else {</span><br><span style="color: hsl(120, 100%, 40%);">++ /* If the just unregistered dialog is being used as hash key,</span><br><span style="color: hsl(120, 100%, 40%);">++ * reset the dlg_set entry with a new key (i.e: from the first dialog</span><br><span style="color: hsl(120, 100%, 40%);">++ * in dlg_set).</span><br><span style="color: hsl(120, 100%, 40%);">++ */</span><br><span style="color: hsl(120, 100%, 40%);">++ if (dlg_set->ht_key.ptr == dlg->local.info->tag.ptr &&</span><br><span style="color: hsl(120, 100%, 40%);">++ dlg_set->ht_key.slen == dlg->local.info->tag.slen)</span><br><span style="color: hsl(120, 100%, 40%);">++ {</span><br><span style="color: hsl(120, 100%, 40%);">++ pjsip_dialog* key_dlg = dlg_set->dlg_list.next;</span><br><span style="color: hsl(120, 100%, 40%);">++</span><br><span style="color: hsl(120, 100%, 40%);">++ /* Verify that the old & new keys share the hash value */</span><br><span style="color: hsl(120, 100%, 40%);">++ pj_assert(key_dlg->local.tag_hval == dlg->local.tag_hval);</span><br><span style="color: hsl(120, 100%, 40%);">++</span><br><span style="color: hsl(120, 100%, 40%);">++ pj_hash_set_lower(NULL, mod_ua.dlg_table, dlg_set->ht_key.ptr,</span><br><span style="color: hsl(120, 100%, 40%);">++ (unsigned)dlg_set->ht_key.slen,</span><br><span style="color: hsl(120, 100%, 40%);">++ dlg->local.tag_hval, NULL);</span><br><span style="color: hsl(120, 100%, 40%);">++</span><br><span style="color: hsl(120, 100%, 40%);">++ dlg_set->ht_key = key_dlg->local.info->tag;</span><br><span style="color: hsl(120, 100%, 40%);">++</span><br><span style="color: hsl(120, 100%, 40%);">++ pj_hash_set_np_lower(mod_ua.dlg_table,</span><br><span style="color: hsl(120, 100%, 40%);">++ dlg_set->ht_key.ptr,</span><br><span style="color: hsl(120, 100%, 40%);">++ (unsigned)dlg_set->ht_key.slen,</span><br><span style="color: hsl(120, 100%, 40%);">++ key_dlg->local.tag_hval, dlg_set->ht_entry,</span><br><span style="color: hsl(120, 100%, 40%);">++ dlg_set);</span><br><span style="color: hsl(120, 100%, 40%);">++ }</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ /* Unlock user agent. */</span><br><span style="color: hsl(120, 100%, 40%);">+-- </span><br><span style="color: hsl(120, 100%, 40%);">+2.25.1</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.asterisk.org/c/asterisk/+/18138">change 18138</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.asterisk.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.asterisk.org/c/asterisk/+/18138"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: asterisk </div>
<div style="display:none"> Gerrit-Branch: 19 </div>
<div style="display:none"> Gerrit-Change-Id: Ia8ce6d82b115c82c1138747c72a0adcaa42b718c </div>
<div style="display:none"> Gerrit-Change-Number: 18138 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: Friendly Automation </div>
<div style="display:none"> Gerrit-MessageType: newchange </div>