res_pjsip: Prevent crashes when PJPROJECT presents an rdata with no message

When a message that exceeds the PJ_MAX_PKT_SIZE is sent over a reliable
transport, it is possible (although it shouldn't occur) for pjproject to pass
up an rdata object with a NULL msg in the msg_info. Needless to say, things
that attempt to dereference this are in for a rough ride.

In particular, this caused crashes in three different locations, all of which
are 'low level' enough to intercept an rdata object early in processing:

(1) res_pjsip_logger
(2) res_hep_pjsip
(3) res_pjsip/distributor

Anything that can intercept an rdata object before res_pjsip/distributor should
be defensive when looking at the received packet.

#SIPit31

ASTERISK-24369 #close
Reported by: Matt Jordan

git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/12@424618 65c4cc65-6c06-0410-ace0-fbb531ad65f3

diff --git a/res/res_hep_pjsip.c b/res/res_hep_pjsip.c
index 54c212111e393541d6fce062ad1089d02ac69ecb..8874fe4bdbcf7e10feaaa65d5903373b2ad2f1f2 100644 (file)
--- a/res/res_hep_pjsip.c
+++ b/res/res_hep_pjsip.c
@@ -122,8 +122,12 @@ static pj_bool_t logging_on_rx_msg(pjsip_rx_data *rdata)
                return PJ_SUCCESS;
        }
 
-       pj_sockaddr_print(&rdata->tp_info.transport->local_addr, local_buf, sizeof(local_buf), 3);
-       pj_sockaddr_print(&rdata->pkt_info.src_addr, remote_buf, sizeof(remote_buf), 3);
+       if (rdata->tp_info.transport->addr_len) {
+               pj_sockaddr_print(&rdata->tp_info.transport->local_addr, local_buf, sizeof(local_buf), 3);
+       }
+       if (rdata->pkt_info.src_addr_len) {
+               pj_sockaddr_print(&rdata->pkt_info.src_addr, remote_buf, sizeof(remote_buf), 3);
+       }
 
        uuid = assign_uuid(&rdata->msg_info.cid->id, &rdata->msg_info.to->tag, &rdata->msg_info.from->tag);
        if (!uuid) {

diff --git a/res/res_pjsip/pjsip_distributor.c b/res/res_pjsip/pjsip_distributor.c
index 9bcb1e3526a6b79d4ad0c989027234f4965807dc..56cb3682ad136d18a543155b32ad8e738a181508 100644 (file)
--- a/res/res_pjsip/pjsip_distributor.c
+++ b/res/res_pjsip/pjsip_distributor.c
@@ -100,6 +100,10 @@ static pjsip_dialog *find_dialog(pjsip_rx_data *rdata)
        pj_str_t *local_tag;
        pj_str_t *remote_tag;
 
+       if (!rdata->msg_info.msg) {
+               return NULL;
+       }
+
        if (rdata->msg_info.msg->type == PJSIP_REQUEST_MSG) {
                local_tag = &rdata->msg_info.to->tag;
                remote_tag = &rdata->msg_info.from->tag;

diff --git a/res/res_pjsip_logger.c b/res/res_pjsip_logger.c
index a69ca429c25d40742753cffa56494f528e13d2c1..1f7e0bd84baa7b722c13159e53c12539de48fa91 100644 (file)
--- a/res/res_pjsip_logger.c
+++ b/res/res_pjsip_logger.c
@@ -121,6 +121,10 @@ static pj_bool_t logging_on_rx_msg(pjsip_rx_data *rdata)
                return PJ_FALSE;
        }
 
+       if (!rdata->msg_info.msg) {
+               return PJ_FALSE;
+       }
+
        ast_verbose("<--- Received SIP %s (%d bytes) from %s:%s:%d --->\n%s\n",
                    rdata->msg_info.msg->type == PJSIP_REQUEST_MSG ? "request" : "response",
                    rdata->msg_info.len,