From: Naveen Albert <asterisk@phreaknet.org>
Date: Wed, 24 Nov 2021 02:21:23 +0000 (+0000)
Subject: chan_sip: Fix crash when accessing RURI before initiating outgoing call
X-Git-Tag: 18.10.0-rc1~59
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3108457d8f96a133fe2ab4212710b03dd2fbd967;p=thirdparty%2Fasterisk.git

chan_sip: Fix crash when accessing RURI before initiating outgoing call

Attempting to access ${CHANNEL(ruri)} in a pre-dial handler before
initiating an outgoing call will cause Asterisk to crash. This is
because a null field is accessed, resulting in an offset from null and
subsequent memory access violation.

Since RURI is not guaranteed to exist, we now check if the base
pointer is non-null before calculating an offset.

ASTERISK-29772

Change-Id: Icd3b02f07256bbe6615854af5717074087b95a83
---

diff --git a/channels/sip/dialplan_functions.c b/channels/sip/dialplan_functions.c
index 7c34fc9023..74106d1be7 100644
--- a/channels/sip/dialplan_functions.c
+++ b/channels/sip/dialplan_functions.c
@@ -166,8 +166,12 @@ int sip_acf_channel_read(struct ast_channel *chan, const char *funcname, char *p
 	} else if (!strcasecmp(args.param, "uri")) {
 		ast_copy_string(buf, p->uri, buflen);
 	} else if (!strcasecmp(args.param, "ruri")) {
-		char *tmpruri = REQ_OFFSET_TO_STR(&p->initreq, rlpart2);
-		ast_copy_string(buf, tmpruri, buflen);
+		if (p->initreq.data) {
+			char *tmpruri = REQ_OFFSET_TO_STR(&p->initreq, rlpart2);
+			ast_copy_string(buf, tmpruri, buflen);
+		} else {
+			return -1;
+		}
 	} else if (!strcasecmp(args.param, "useragent")) {
 		ast_copy_string(buf, p->useragent, buflen);
 	} else if (!strcasecmp(args.param, "peername")) {