pjsip_messaging, pjsip_header_funcs: Crashes due to NULL pointer dereferences
authorKevin Harwell <kharwell@digium.com>
Tue, 12 Nov 2013 16:49:17 +0000 (16:49 +0000)
committerKevin Harwell <kharwell@digium.com>
Tue, 12 Nov 2013 16:49:17 +0000 (16:49 +0000)
Both res_pjsip_messaging and res_pjsip_header_funcs were causing asterisk to
crash because they were trying to dereference a NULL pointer.

In the case of res_pjsip_messaging it was attempting to "print" a contact
header that did not exist.  In fact contact headers should not be part of
a SIP MESSAGE, so the offending code was simply removed.

In the case of res_pjsip_header_funcs a null private channel tech was being
passed to the function and then later dereferenced.  Added null checks (and
error logging) to the read/write function handlers to guard against crashing.

(closes issue ASTERISK-22821)
Reported by: Anthony Messina
........

Merged revisions 402757 from http://svn.asterisk.org/svn/asterisk/branches/12

git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@402758 65c4cc65-6c06-0410-ace0-fbb531ad65f3

res/res_pjsip_header_funcs.c
res/res_pjsip_messaging.c

index 7425d8f..11ab44c 100644 (file)
@@ -452,6 +452,11 @@ static int func_read_header(struct ast_channel *chan, const char *function, char
                                                 AST_APP_ARG(header_name); AST_APP_ARG(header_number););
        AST_STANDARD_APP_ARGS(args, data);
 
+       if (!channel) {
+               ast_log(LOG_ERROR, "This function requires a PJSIP channel.\n");
+               return -1;
+       }
+
        if (ast_strlen_zero(args.action)) {
                ast_log(AST_LOG_ERROR, "This function requires an action.\n");
                return -1;
@@ -506,6 +511,11 @@ static int func_write_header(struct ast_channel *chan, const char *cmd, char *da
                                                 AST_APP_ARG(header_name); AST_APP_ARG(header_number););
        AST_STANDARD_APP_ARGS(args, data);
 
+       if (!channel) {
+               ast_log(LOG_ERROR, "This function requires a PJSIP channel.\n");
+               return -1;
+       }
+
        if (ast_strlen_zero(args.action)) {
                ast_log(AST_LOG_ERROR, "This function requires an action.\n");
                return -1;
index c2dea7f..b66ee0b 100644 (file)
@@ -431,15 +431,9 @@ static enum pjsip_status_code rx_data_to_ast_msg(pjsip_rx_data *rdata, struct as
                CHECK_RES(ast_msg_set_from(msg, "%s", buf));
        }
 
-       /* contact header */
-       if ((size = pjsip_hdr_print_on(pjsip_msg_find_hdr(rdata->msg_info.msg, PJSIP_H_CONTACT, NULL), buf, sizeof(buf)-1)) > 0) {
-               buf[size] = '\0';
-               CHECK_RES(ast_msg_set_var(msg, "SIP_FULLCONTACT", buf));
-       }
-
        /* receive address */
        field = pj_sockaddr_print(&rdata->pkt_info.src_addr, buf, sizeof(buf)-1, 1);
-       CHECK_RES(ast_msg_set_var(msg, "SIP_RECVADDR", field));
+       CHECK_RES(ast_msg_set_var(msg, "PJSIP_RECVADDR", field));
 
        /* body */
        if (print_body(rdata, buf, sizeof(buf) - 1) > 0) {
@@ -448,7 +442,7 @@ static enum pjsip_status_code rx_data_to_ast_msg(pjsip_rx_data *rdata, struct as
 
        /* endpoint name */
        if (endpt->id.self.name.valid) {
-               CHECK_RES(ast_msg_set_var(msg, "SIP_PEERNAME", endpt->id.self.name.str));
+               CHECK_RES(ast_msg_set_var(msg, "PJSIP_PEERNAME", endpt->id.self.name.str));
        }
 
        CHECK_RES(headers_to_vars(rdata, msg));