res_pjsip: Do not crash on ACKs from unknown endpoints.

The endpoint identification PJSIP module is intended to identify which
endpoint an incoming request is from. If an endpoint is not identified,
then an artificial endpoint is used in its place when proceeding.

The problem is that the ACK request type is an exception to the rule.
The artificial endpoint is not used when processing an ACK. This results
in the possibility of having a NULL endpoint being used further on.

The reason ACK is an exception is an attempt not to spam security logs
with unidentified requests. Presumably, you've already logged the
unidentified request on the preceeding INVITE.

Up until Asterisk 13.10, retrieving a NULL endpoint in this fashion
didn't cause an issue. A new change in 13.10 added endpoint ACL checking
shortly after endpoint identification. Because we are accessing a NULL
endpoint, this ACL check resulted in a crash.

The fix here is to be sure to retrieve the artificial endpoint for all
request types. ACKs still do not generate unidentified request security
events.

ASTERISK-26264 #close
Reported by nappsoft

AST-2016-006

Change-Id: Ie0c795ae2d72273decb972dd74b6a1489fb6b703

diff --git a/res/res_pjsip/pjsip_distributor.c b/res/res_pjsip/pjsip_distributor.c
index 8a91196395217f89d3ce5dc0d16bec4f417924ec..ea3fff69b10bf5dd39e9f0f6cf1177651488791d 100644 (file)
--- a/res/res_pjsip/pjsip_distributor.c
+++ b/res/res_pjsip/pjsip_distributor.c
@@ -571,9 +571,7 @@ static pj_bool_t endpoint_lookup(pjsip_rx_data *rdata)
                }
        }
 
-       if (!endpoint && !is_ack) {
-               char name[AST_UUID_STR_LEN] = "";
-               pjsip_uri *from = rdata->msg_info.from->uri;
+       if (!endpoint) {
 
                /* always use an artificial endpoint - per discussion no reason
                   to have "alwaysauthreject" as an option.  It is felt using it
@@ -581,6 +579,13 @@ static pj_bool_t endpoint_lookup(pjsip_rx_data *rdata)
                   breaking old stuff and we really don't want to enable the discovery
                   of SIP accounts */
                endpoint = ast_sip_get_artificial_endpoint();
+       }
+
+       rdata->endpt_info.mod_data[endpoint_mod.id] = endpoint;
+
+       if (!is_ack) {
+               char name[AST_UUID_STR_LEN] = "";
+               pjsip_uri *from = rdata->msg_info.from->uri;
 
                if (PJSIP_URI_SCHEME_IS_SIP(from) || PJSIP_URI_SCHEME_IS_SIPS(from)) {
                        pjsip_sip_uri *sip_from = pjsip_uri_get_uri(from);
@@ -614,7 +619,6 @@ static pj_bool_t endpoint_lookup(pjsip_rx_data *rdata)
                        ast_sip_report_invalid_endpoint(name, rdata);
                }
        }
-       rdata->endpt_info.mod_data[endpoint_mod.id] = endpoint;
        return PJ_FALSE;
 }