From 739fca6084f2641d447956e59d56d1a851956196 Mon Sep 17 00:00:00 2001 From: Richard Mudgett Date: Mon, 10 Aug 2015 18:23:02 -0500 Subject: [PATCH] res_pjsip.c: Fix crash from corrupt saved SUBSCRIBE message. If the saved SUBSCRIBE message is not parseable for whatever reason then Asterisk could crash when libpjsip tries to parse the message and adds an error message to the parse error list. * Made ast_sip_create_rdata() initialize the parse error rdata list. The list is checked after parsing to see that it remains empty for the function to return successful. ASTERISK-25306 Reported by Mark Michelson Change-Id: Ie0677f69f707503b1a37df18723bd59418085256 --- res/res_pjsip.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/res/res_pjsip.c b/res/res_pjsip.c index 8621658812..436145a17a 100644 --- a/res/res_pjsip.c +++ b/res/res_pjsip.c @@ -2455,6 +2455,12 @@ int ast_sip_create_rdata(pjsip_rx_data *rdata, char *packet, const char *src_nam { pj_str_t tmp; + /* + * Initialize the error list in case there is a parse error + * in the given packet. + */ + pj_list_init(&rdata->msg_info.parse_err); + rdata->tp_info.transport = PJ_POOL_ZALLOC_T(rdata->tp_info.pool, pjsip_transport); if (!rdata->tp_info.transport) { return -1; @@ -2465,7 +2471,7 @@ int ast_sip_create_rdata(pjsip_rx_data *rdata, char *packet, const char *src_nam rdata->pkt_info.src_port = src_port; pjsip_parse_rdata(packet, strlen(packet), rdata); - if (!rdata->msg_info.msg) { + if (!rdata->msg_info.msg || !pj_list_empty(&rdata->msg_info.parse_err)) { return -1; } -- 2.47.2