res_pjsip: Prevent crashes when PJPROJECT presents an rdata with no message

When a message that exceeds the PJ_MAX_PKT_SIZE is sent over a reliable transport, it is possible (although it shouldn't occur) for pjproject to pass up an rdata object with a NULL msg in the msg_info. Needless to say, things that attempt to dereference this are in for a rough ride. In particular, this caused crashes in three different locations, all of which are 'low level' enough to intercept an rdata object early in processing: (1) res_pjsip_logger (2) res_hep_pjsip (3) res_pjsip/distributor Anything that can intercept an rdata object before res_pjsip/distributor should be defensive when looking at the received packet. #SIPit31 ASTERISK-24369 #close Reported by: Matt Jordan ........ Merged revisions 424618 from http://svn.asterisk.org/svn/asterisk/branches/12 ........ Merged revisions 424619 from http://svn.asterisk.org/svn/asterisk/branches/13 git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@424620 65c4cc65-6c06-0410-ace0-fbb531ad65f3
11 years ago · 45b7b474ac
parent f27f41a288
commit 45b7b474ac
3 changed files with 14 additions and 2 deletions
--- a/res/res_hep_pjsip.c
+++ b/res/res_hep_pjsip.c
@ -121,8 +121,12 @@ static pj_bool_t logging_on_rx_msg(pjsip_rx_data *rdata)
 		return PJ_SUCCESS;
 	}

-	pj_sockaddr_print(&rdata->tp_info.transport->local_addr, local_buf, sizeof(local_buf), 3);
-	pj_sockaddr_print(&rdata->pkt_info.src_addr, remote_buf, sizeof(remote_buf), 3);
+	if (rdata->tp_info.transport->addr_len) {
+		pj_sockaddr_print(&rdata->tp_info.transport->local_addr, local_buf, sizeof(local_buf), 3);
+	}
+	if (rdata->pkt_info.src_addr_len) {
+		pj_sockaddr_print(&rdata->pkt_info.src_addr, remote_buf, sizeof(remote_buf), 3);
+	}

 	uuid = assign_uuid(&rdata->msg_info.cid->id, &rdata->msg_info.to->tag, &rdata->msg_info.from->tag);
 	if (!uuid) {
--- a/res/res_pjsip/pjsip_distributor.c
+++ b/res/res_pjsip/pjsip_distributor.c
@ -100,6 +100,10 @@ static pjsip_dialog *find_dialog(pjsip_rx_data *rdata)
 	pj_str_t *local_tag;
 	pj_str_t *remote_tag;

+	if (!rdata->msg_info.msg) {
+		return NULL;
+	}
+
 	if (rdata->msg_info.msg->type == PJSIP_REQUEST_MSG) {
 		local_tag = &rdata->msg_info.to->tag;
 		remote_tag = &rdata->msg_info.from->tag;
--- a/res/res_pjsip_logger.c
+++ b/res/res_pjsip_logger.c
@ -121,6 +121,10 @@ static pj_bool_t logging_on_rx_msg(pjsip_rx_data *rdata)
 		return PJ_FALSE;
 	}

+	if (!rdata->msg_info.msg) {
+		return PJ_FALSE;
+	}
+
 	ast_verbose("<--- Received SIP %s (%d bytes) from %s:%s:%d --->\n%s\n",
 		    rdata->msg_info.msg->type == PJSIP_REQUEST_MSG ? "request" : "response",
 		    rdata->msg_info.len,