chan_sip: Fix crash when accessing RURI before initiating outgoing call

Attempting to access ${CHANNEL(ruri)} in a pre-dial handler before
initiating an outgoing call will cause Asterisk to crash. This is
because a null field is accessed, resulting in an offset from null and
subsequent memory access violation.

Since RURI is not guaranteed to exist, we now check if the base
pointer is non-null before calculating an offset.

ASTERISK-29772

Change-Id: Icd3b02f07256bbe6615854af5717074087b95a83

diff --git a/channels/sip/dialplan_functions.c b/channels/sip/dialplan_functions.c
index 09804ce8a2aed5ac6b9677ee720882649e8ce9e4..f3488b419c18beae79b5394cf0818cda34611ada 100644 (file)
--- a/channels/sip/dialplan_functions.c
+++ b/channels/sip/dialplan_functions.c
@@ -166,8 +166,12 @@ int sip_acf_channel_read(struct ast_channel *chan, const char *funcname, char *p
        } else if (!strcasecmp(args.param, "uri")) {
                ast_copy_string(buf, p->uri, buflen);
        } else if (!strcasecmp(args.param, "ruri")) {
-               char *tmpruri = REQ_OFFSET_TO_STR(&p->initreq, rlpart2);
-               ast_copy_string(buf, tmpruri, buflen);
+               if (p->initreq.data) {
+                       char *tmpruri = REQ_OFFSET_TO_STR(&p->initreq, rlpart2);
+                       ast_copy_string(buf, tmpruri, buflen);
+               } else {
+                       return -1;
+               }
        } else if (!strcasecmp(args.param, "useragent")) {
                ast_copy_string(buf, p->useragent, buflen);
        } else if (!strcasecmp(args.param, "peername")) {