chan_sip: when getting sip pvt return failure if not found

In handle_request_invite, when processing a pickup, a call
is made to get_sip_pvt_from_replaces to locate the pvt for
the subscription. The pvt is assumed to be valid when zero
is returned indicating no error, and is dereferenced which
can cause a crash if it was not found.

This change checks the not found case and returns -1 which
allows the calling code to fail appropriately.

ASTERISK-27217 #close
Reported-by: Bryan Walters
Change-Id: I6bee92b8b8b85fcac3fd66f8c00ab18bc1765612

diff --git a/channels/chan_sip.c b/channels/chan_sip.c
index b19c66915b6d652d199d79c47364ba62c9bcc052..e862e9d5a36d3536a761df003921599eb1fd13b7 100644 (file)
--- a/channels/chan_sip.c
+++ b/channels/chan_sip.c
@@ -18568,6 +18568,11 @@ static int get_sip_pvt_from_replaces(const char *callid, const char *totag,
                }
        }
 
+       if (!sip_pvt_ptr) {
+               /* return error if sip_pvt was not found */
+               return -1;
+       }
+
        /* If we're here sip_pvt_ptr has been copied to *out_pvt, prevent RAII_VAR cleanup */
        sip_pvt_ptr = NULL;