From: Scott Griepentrog <scott@griepentrog.com>
Date: Wed, 6 Sep 2017 21:05:32 +0000 (-0400)
Subject: chan_sip: when getting sip pvt return failure if not found
X-Git-Tag: 14.7.0-rc1~59^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=74e4f7ecf1c88d691d487eb79acb8b8264804b52;p=thirdparty%2Fasterisk.git

chan_sip: when getting sip pvt return failure if not found

In handle_request_invite, when processing a pickup, a call
is made to get_sip_pvt_from_replaces to locate the pvt for
the subscription. The pvt is assumed to be valid when zero
is returned indicating no error, and is dereferenced which
can cause a crash if it was not found.

This change checks the not found case and returns -1 which
allows the calling code to fail appropriately.

ASTERISK-27217 #close
Reported-by: Bryan Walters

Change-Id: I6bee92b8b8b85fcac3fd66f8c00ab18bc1765612
---

diff --git a/channels/chan_sip.c b/channels/chan_sip.c
index cd5cc0c770..89e1e3d8a1 100644
--- a/channels/chan_sip.c
+++ b/channels/chan_sip.c
@@ -18625,6 +18625,11 @@ static int get_sip_pvt_from_replaces(const char *callid, const char *totag,
 		}
 	}
 
+	if (!sip_pvt_ptr) {
+		/* return error if sip_pvt was not found */
+		return -1;
+	}
+
 	/* If we're here sip_pvt_ptr has been copied to *out_pvt, prevent RAII_VAR cleanup */
 	sip_pvt_ptr = NULL;