chan_sip: when getting sip pvt return failure if not found

In handle_request_invite, when processing a pickup, a call
is made to get_sip_pvt_from_replaces to locate the pvt for
the subscription. The pvt is assumed to be valid when zero
is returned indicating no error, and is dereferenced which
can cause a crash if it was not found.

This change checks the not found case and returns -1 which
allows the calling code to fail appropriately.

ASTERISK-27217 #close
Reported-by: Bryan Walters
Change-Id: I6bee92b8b8b85fcac3fd66f8c00ab18bc1765612

diff --git a/channels/chan_sip.c b/channels/chan_sip.c
index cd5cc0c770b49704bb56c0d3bb5640dbb6ec5123..89e1e3d8a162c1f84e21466f3e14f16344ce66ab 100644 (file)
--- a/channels/chan_sip.c
+++ b/channels/chan_sip.c
@@ -18625,6 +18625,11 @@ static int get_sip_pvt_from_replaces(const char *callid, const char *totag,
                }
        }
 
+       if (!sip_pvt_ptr) {
+               /* return error if sip_pvt was not found */
+               return -1;
+       }
+
        /* If we're here sip_pvt_ptr has been copied to *out_pvt, prevent RAII_VAR cleanup */
        sip_pvt_ptr = NULL;