res_pjsip.c: Fix crash from corrupt saved SUBSCRIBE message.

If the saved SUBSCRIBE message is not parseable for whatever reason then
Asterisk could crash when libpjsip tries to parse the message and adds an
error message to the parse error list.

* Made ast_sip_create_rdata() initialize the parse error rdata list.  The
list is checked after parsing to see that it remains empty for the
function to return successful.

ASTERISK-25306
Reported by Mark Michelson

Change-Id: Ie0677f69f707503b1a37df18723bd59418085256

diff --git a/res/res_pjsip.c b/res/res_pjsip.c
index 405ac68384dc08332bd021a8d22b327f2d0d21a2..76d013c1c98420856ab4ff09c21b4aa7bf1b47f6 100644 (file)
--- a/res/res_pjsip.c
+++ b/res/res_pjsip.c
@@ -2649,6 +2649,12 @@ int ast_sip_create_rdata(pjsip_rx_data *rdata, char *packet, const char *src_nam
 {
        pj_str_t tmp;
 
+       /*
+        * Initialize the error list in case there is a parse error
+        * in the given packet.
+        */
+       pj_list_init(&rdata->msg_info.parse_err);
+
        rdata->tp_info.transport = PJ_POOL_ZALLOC_T(rdata->tp_info.pool, pjsip_transport);
        if (!rdata->tp_info.transport) {
                return -1;
@@ -2659,7 +2665,7 @@ int ast_sip_create_rdata(pjsip_rx_data *rdata, char *packet, const char *src_nam
        rdata->pkt_info.src_port = src_port;
 
        pjsip_parse_rdata(packet, strlen(packet), rdata);
-       if (!rdata->msg_info.msg) {
+       if (!rdata->msg_info.msg || !pj_list_empty(&rdata->msg_info.parse_err)) {
                return -1;
        }