From cd82d5ab42bffb92c0dd25c5a5b1d2ff27f155ea Mon Sep 17 00:00:00 2001 From: Walter Doekes Date: Fri, 5 Jun 2020 11:30:29 +0200 Subject: [PATCH] pjsip: Prevent invalid memory access when attempting to contact a non-sip URI You cannot cast a pjsip_uri to a pjsip_sip_uri using pjsip_uri_get_uri, without checking that it's a PJSIP_URI_SCHEME_IS_SIP(S). ASTERISK-28936 Change-Id: I9f572b3677e4730458e9402719e580f8681afe2a --- res/res_pjsip.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/res/res_pjsip.c b/res/res_pjsip.c index 8ab58e0cc7..af3b74e975 100644 --- a/res/res_pjsip.c +++ b/res/res_pjsip.c @@ -3588,6 +3588,12 @@ pjsip_dialog *ast_sip_create_dialog_uac(const struct ast_sip_endpoint *endpoint, pj_cstr(&target_uri, uri); res = pjsip_dlg_create_uac(pjsip_ua_instance(), &local_uri, NULL, &remote_uri, &target_uri, &dlg); + if (res == PJ_SUCCESS && !(PJSIP_URI_SCHEME_IS_SIP(dlg->target) || PJSIP_URI_SCHEME_IS_SIPS(dlg->target))) { + /* dlg->target is a pjsip_other_uri, but it's assumed to be a + * pjsip_sip_uri below. Fail fast. */ + res = PJSIP_EINVALIDURI; + pjsip_dlg_terminate(dlg); + } if (res != PJ_SUCCESS) { if (res == PJSIP_EINVALIDURI) { ast_log(LOG_ERROR, -- 2.47.2