Author: mjordan Date: Sun Oct 5 19:31:48 2014 New Revision: 424620 URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=424620 Log: res_pjsip: Prevent crashes when PJPROJECT presents an rdata with no message
When a message that exceeds the PJ_MAX_PKT_SIZE is sent over a reliable transport, it is possible (although it shouldn't occur) for pjproject to pass up an rdata object with a NULL msg in the msg_info. Needless to say, things that attempt to dereference this are in for a rough ride. In particular, this caused crashes in three different locations, all of which are 'low level' enough to intercept an rdata object early in processing: (1) res_pjsip_logger (2) res_hep_pjsip (3) res_pjsip/distributor Anything that can intercept an rdata object before res_pjsip/distributor should be defensive when looking at the received packet. #SIPit31 ASTERISK-24369 #close Reported by: Matt Jordan ........ Merged revisions 424618 from http://svn.asterisk.org/svn/asterisk/branches/12 ........ Merged revisions 424619 from http://svn.asterisk.org/svn/asterisk/branches/13 Modified: trunk/ (props changed) trunk/res/res_hep_pjsip.c trunk/res/res_pjsip/pjsip_distributor.c trunk/res/res_pjsip_logger.c Propchange: trunk/ ------------------------------------------------------------------------------ Binary property 'branch-13-merged' - no diff available. Modified: trunk/res/res_hep_pjsip.c URL: http://svnview.digium.com/svn/asterisk/trunk/res/res_hep_pjsip.c?view=diff&rev=424620&r1=424619&r2=424620 ============================================================================== --- trunk/res/res_hep_pjsip.c (original) +++ trunk/res/res_hep_pjsip.c Sun Oct 5 19:31:48 2014 @@ -121,8 +121,12 @@ return PJ_SUCCESS; } - pj_sockaddr_print(&rdata->tp_info.transport->local_addr, local_buf, sizeof(local_buf), 3); - pj_sockaddr_print(&rdata->pkt_info.src_addr, remote_buf, sizeof(remote_buf), 3); + if (rdata->tp_info.transport->addr_len) { + pj_sockaddr_print(&rdata->tp_info.transport->local_addr, local_buf, sizeof(local_buf), 3); + } + if (rdata->pkt_info.src_addr_len) { + pj_sockaddr_print(&rdata->pkt_info.src_addr, remote_buf, sizeof(remote_buf), 3); + } uuid = assign_uuid(&rdata->msg_info.cid->id, &rdata->msg_info.to->tag, &rdata->msg_info.from->tag); if (!uuid) { Modified: trunk/res/res_pjsip/pjsip_distributor.c URL: http://svnview.digium.com/svn/asterisk/trunk/res/res_pjsip/pjsip_distributor.c?view=diff&rev=424620&r1=424619&r2=424620 ============================================================================== --- trunk/res/res_pjsip/pjsip_distributor.c (original) +++ trunk/res/res_pjsip/pjsip_distributor.c Sun Oct 5 19:31:48 2014 @@ -99,6 +99,10 @@ pjsip_dialog *dlg; pj_str_t *local_tag; pj_str_t *remote_tag; + + if (!rdata->msg_info.msg) { + return NULL; + } if (rdata->msg_info.msg->type == PJSIP_REQUEST_MSG) { local_tag = &rdata->msg_info.to->tag; Modified: trunk/res/res_pjsip_logger.c URL: http://svnview.digium.com/svn/asterisk/trunk/res/res_pjsip_logger.c?view=diff&rev=424620&r1=424619&r2=424620 ============================================================================== --- trunk/res/res_pjsip_logger.c (original) +++ trunk/res/res_pjsip_logger.c Sun Oct 5 19:31:48 2014 @@ -118,6 +118,10 @@ static pj_bool_t logging_on_rx_msg(pjsip_rx_data *rdata) { if (!pjsip_log_test_addr(rdata->pkt_info.src_name, rdata->pkt_info.src_port)) { + return PJ_FALSE; + } + + if (!rdata->msg_info.msg) { return PJ_FALSE; } -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- svn-commits mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/svn-commits
