Asterisk
/
asterisk
mirror of https://github.com/asterisk/asterisk
1
0
Fork 0
Code Issues Releases Wiki Activity

res_pjsip_registrar.c: Prevent potential double free if AOR is not found

Browse Source 
The simple fix here is simply to NULL out username and password after we call
ast_free on them. Unfortunately, I noticed that we weren't checking for
allocation failures for username and password, and adding those checks made
things noisy and cumbersome.

So instead we partially rollback the recent LGTM patch, and move the alloca
calls into find_aor_name().

ASTERISK-28641 #close
Reported by: Ross Beer

Change-Id: Ic9d01624e717a020be0b0aee31f0814e7f1ffbe2
16.7
Sean Bright 6 years ago
parent 5c20cc4c3a
commit 68ce999351
1 changed files with 22 additions and 21 deletions
Show Stats Download Patch File Download Diff File

43
res/res_pjsip_registrar.c
Unescape View File

@ -949,14 +949,21 @@ static int match_aor(const char *aor_name, const char *id)
return 0; return 0;
} }
static char *find_aor_name(const char *username, const char *domain, const char *aors) static char *find_aor_name(const pj_str_t *pj_username, const pj_str_t *pj_domain, const char *aors)
{ {
char *configured_aors; char *configured_aors;
char *aors_buf; char *aors_buf;
char *aor_name; char *aor_name;
char *id_domain; char *id_domain;
char *username, *domain;
struct ast_sip_domain_alias *alias; struct ast_sip_domain_alias *alias;
/* Turn these into C style strings for convenience */
username = ast_alloca(pj_strlen(pj_username) + 1);
ast_copy_pj_str(username, pj_username, pj_strlen(pj_username) + 1);
domain = ast_alloca(pj_strlen(pj_domain) + 1);
ast_copy_pj_str(domain, pj_domain, pj_strlen(pj_domain) + 1);
id_domain = ast_alloca(strlen(username) + strlen(domain) + 2); id_domain = ast_alloca(strlen(username) + strlen(domain) + 2);
sprintf(id_domain, "%s@%s", username, domain); sprintf(id_domain, "%s@%s", username, domain);
@ -1006,11 +1013,10 @@ static struct ast_sip_aor *find_registrar_aor(struct pjsip_rx_data *rdata, struc
{ {
struct ast_sip_aor *aor = NULL; struct ast_sip_aor *aor = NULL;
char *aor_name = NULL; char *aor_name = NULL;
char *domain_name = NULL;
char *username = NULL;
int i; int i;
for (i = 0; i < AST_VECTOR_SIZE(&endpoint->ident_method_order); ++i) { for (i = 0; i < AST_VECTOR_SIZE(&endpoint->ident_method_order); ++i) {
pj_str_t username;
pjsip_sip_uri *uri; pjsip_sip_uri *uri;
pjsip_authorization_hdr *header = NULL; pjsip_authorization_hdr *header = NULL;
@ -1018,18 +1024,22 @@ static struct ast_sip_aor *find_registrar_aor(struct pjsip_rx_data *rdata, struc
case AST_SIP_ENDPOINT_IDENTIFY_BY_USERNAME: case AST_SIP_ENDPOINT_IDENTIFY_BY_USERNAME:
uri = pjsip_uri_get_uri(rdata->msg_info.to->uri); uri = pjsip_uri_get_uri(rdata->msg_info.to->uri);
domain_name = ast_malloc(uri->host.slen + 1); pj_strassign(&username, &uri->user);
ast_copy_pj_str(domain_name, &uri->host, uri->host.slen + 1);
username = ast_malloc(uri->user.slen + 1);
ast_copy_pj_str(username, &uri->user, uri->user.slen + 1);
/* /*
* We may want to match without any user options getting * We may want to match without any user options getting
* in the way. * in the way.
*
* Logic adapted from AST_SIP_USER_OPTIONS_TRUNCATE_CHECK for pj_str_t.
*/ */
AST_SIP_USER_OPTIONS_TRUNCATE_CHECK(username); if (ast_sip_get_ignore_uri_user_options()) {
pj_ssize_t semi = pj_strcspn2(&username, ";");
if (semi < pj_strlen(&username)) {
username.slen = semi;
}
}
aor_name = find_aor_name(username, domain_name, endpoint->aors); aor_name = find_aor_name(&username, &uri->host, endpoint->aors);
if (aor_name) { if (aor_name) {
ast_debug(3, "Matched aor '%s' by To username\n", aor_name); ast_debug(3, "Matched aor '%s' by To username\n", aor_name);
} }
@ -1038,12 +1048,8 @@ static struct ast_sip_aor *find_registrar_aor(struct pjsip_rx_data *rdata, struc
while ((header = pjsip_msg_find_hdr(rdata->msg_info.msg, PJSIP_H_AUTHORIZATION, while ((header = pjsip_msg_find_hdr(rdata->msg_info.msg, PJSIP_H_AUTHORIZATION,
header ? header->next : NULL))) { header ? header->next : NULL))) {
if (header && !pj_stricmp2(&header->scheme, "digest")) { if (header && !pj_stricmp2(&header->scheme, "digest")) {
username = ast_malloc(header->credential.digest.username.slen + 1); aor_name = find_aor_name(&header->credential.digest.username,
ast_copy_pj_str(username, &header->credential.digest.username, header->credential.digest.username.slen + 1); &header->credential.digest.realm, endpoint->aors);
domain_name = ast_malloc(header->credential.digest.realm.slen + 1);
ast_copy_pj_str(domain_name, &header->credential.digest.realm, header->credential.digest.realm.slen + 1);
aor_name = find_aor_name(username, domain_name, endpoint->aors);
if (aor_name) { if (aor_name) {
ast_debug(3, "Matched aor '%s' by Authentication username\n", aor_name); ast_debug(3, "Matched aor '%s' by Authentication username\n", aor_name);
break; break;
@ -1058,9 +1064,6 @@ static struct ast_sip_aor *find_registrar_aor(struct pjsip_rx_data *rdata, struc
if (aor_name) { if (aor_name) {
break; break;
} }
ast_free(domain_name);
ast_free(username);
} }
if (ast_strlen_zero(aor_name) || !(aor = ast_sip_location_retrieve_aor(aor_name))) { if (ast_strlen_zero(aor_name) || !(aor = ast_sip_location_retrieve_aor(aor_name))) {
@ -1068,11 +1071,9 @@ static struct ast_sip_aor *find_registrar_aor(struct pjsip_rx_data *rdata, struc
pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 404, NULL, NULL, NULL); pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 404, NULL, NULL, NULL);
ast_sip_report_req_no_support(endpoint, rdata, "registrar_requested_aor_not_found"); ast_sip_report_req_no_support(endpoint, rdata, "registrar_requested_aor_not_found");
ast_log(LOG_WARNING, "AOR '%s' not found for endpoint '%s'\n", ast_log(LOG_WARNING, "AOR '%s' not found for endpoint '%s'\n",
username ?: "", ast_sorcery_object_get_id(endpoint)); aor_name ?: "", ast_sorcery_object_get_id(endpoint));
} }
ast_free(aor_name); ast_free(aor_name);
ast_free(domain_name);
ast_free(username);
return aor; return aor;
} }

Write Preview
Loading…
Cancel
Save