The filter_on_tx_message() function was using pj_strassign() to save the pointer
of the pjproject transport local address to a local pj_str_t variable. That
variable was ultimately used to set the Contact header's uri->host and the SDP
connection attribute's address again using pj_strassign. pj_strassign() doesn't
copy the actual value of the pj_str_t however, it just copies the pointer so
if a connection-oriented transport is disconnected before the 200 OK with the
SDP is sent, those pointers will be invalid which can cause use-after-free
issues. To prevent this, filter_on_tx_message() now uses pj_strdup with the
tdata->pool as the backing store to save the local IP address to the local
variable. pj_strassign() can then be used safely later on since the tdata
will be available for the life of the transaction.
Resolves: #GHSA-g8q2-p36q-94f6
/* If the chosen transport is not bound to any we can't use the source address as it won't get back to us */
if (!is_bound_any(tdata->tp_info.transport)) {
- pj_strassign(&prm.ret_addr, &tdata->tp_info.transport->local_name.host);
+ pj_strdup(tdata->pool, &prm.ret_addr, &tdata->tp_info.transport->local_name.host);
}
} else {
/* The transport chosen will deliver this but ensure it is updated with the right information */
- pj_strassign(&prm.ret_addr, &tdata->tp_info.transport->local_name.host);
+ pj_strdup(tdata->pool, &prm.ret_addr, &tdata->tp_info.transport->local_name.host);
}
/* If the message needs to be updated with new address do so */