From: Kevin Harwell Date: Mon, 1 Feb 2021 21:24:25 +0000 (-0600) Subject: AST-2021-002: Remote crash possible when negotiating T.38 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b4f221dcf3a57b0787654de4f6e4bae3fe940452;p=thirdparty%2Fasterisk.git AST-2021-002: Remote crash possible when negotiating T.38 When an endpoint requests to re-negotiate for fax and the incoming re-invite is received prior to Asterisk sending out the 200 OK for the initial invite the re-invite gets delayed. When Asterisk does finally send the re-inivite the SDP includes streams for both audio and T.38. This happens because when the pending topology and active topologies differ (pending stream is not in the active) in the delayed scenario the pending stream is appended to the active topology. However, in the fax case the pending stream should replace the active. This patch makes it so when a delay occurs during fax negotiation, to or from, the audio stream is replaced by the T.38 stream, or vice versa instead of being appended. Further when Asterisk sent the re-invite with both audio and T.38, and the endpoint responded with a declined T.38 stream then Asterisk would crash when attempting to change the T.38 state. This patch also puts in a check that ensures the media state has a valid fax session (associated udptl object) before changing the T.38 state internally. ASTERISK-29203 #close Change-Id: I407f4fa58651255b6a9030d34fd6578cf65ccf09 --- diff --git a/res/res_pjsip_session.c b/res/res_pjsip_session.c index 33c8383899..ec577a57dd 100644 --- a/res/res_pjsip_session.c +++ b/res/res_pjsip_session.c @@ -2268,7 +2268,14 @@ static int sip_session_refresh(struct ast_sip_session *session, ast_sip_session_get_name(session)); } - if (active_media_state) { + /* + * Attempt to resolve only if objects are available, and it's not + * switching to or from an image type. + */ + if (active_media_state && active_media_state->topology && + (!active_media_state->default_session[AST_MEDIA_TYPE_IMAGE] == + !pending_media_state->default_session[AST_MEDIA_TYPE_IMAGE])) { + struct ast_sip_session_media_state *new_pending_state; /* * We need to check if the passed in active and pending states are equal diff --git a/res/res_pjsip_t38.c b/res/res_pjsip_t38.c index 9c9569b4f2..63abce5abf 100644 --- a/res/res_pjsip_t38.c +++ b/res/res_pjsip_t38.c @@ -320,6 +320,15 @@ static int t38_reinvite_response_cb(struct ast_sip_session *session, pjsip_rx_da int index; session_media = session->active_media_state->default_session[AST_MEDIA_TYPE_IMAGE]; + + /* + * If there is a session_media object, but no udptl object available + * then it's assumed the stream was declined. + */ + if (!session_media->udptl) { + session_media = NULL; + } + if (!session_media) { ast_log(LOG_WARNING, "Received %d response to T.38 re-invite on '%s' but no active session media\n", status.code, session->channel ? ast_channel_name(session->channel) : "unknown channel");