diff options
| author | Sergio Medina Toledo <lumasepa@gmail.com> | 2016-03-03 10:43:59 +0000 |
|---|---|---|
| committer | Joshua Colp <jcolp@digium.com> | 2016-03-17 13:12:29 -0500 |
| commit | 2b1b8e382a46fccd12bd60145cee2ffcf69663a6 (patch) | |
| tree | fcdee8f09e7f8a309a1b343380ff30323f8ebf12 | |
| parent | aeef52db9fdd8b48ba294f573580525e8bb96471 (diff) | |
res_pjsip_refer.c: Fix seg fault in process of Refer-to header.
The "Refer-to" header of an incoming REFER request is parsed by
pjsip_parse_uri(). That function requires the URI parameter to be NULL
terminated. Unfortunately, the previous code added the NULL terminator by
overwriting memory that may not be safe. The overwritten memory results
could be benign, memory corruption, or a segmentation fault. Now the URI
is NULL terminated safely by copying the URI to a new chunk of memory with
the correct size to be NULL terminated.
ASTERISK-25814 #close
Change-Id: I32565496684a5a49c3278fce06474b8c94b37342
| -rw-r--r-- | res/res_pjsip_refer.c | 18 |
1 files changed, 9 insertions, 9 deletions
diff --git a/res/res_pjsip_refer.c b/res/res_pjsip_refer.c index 3766f9bb4..f3af65c3c 100644 --- a/res/res_pjsip_refer.c +++ b/res/res_pjsip_refer.c @@ -985,6 +985,7 @@ static int refer_incoming_refer_request(struct ast_sip_session *session, struct { pjsip_generic_string_hdr *refer_to; char *uri; + size_t uri_size; pjsip_uri *target; pjsip_sip_uri *target_uri; RAII_VAR(struct refer_progress *, progress, NULL, ao2_cleanup); @@ -1018,20 +1019,19 @@ static int refer_incoming_refer_request(struct ast_sip_session *session, struct return 0; } - /* This is done on purpose (and is safe) - it's done so that the value passed to - * pjsip_parse_uri is NULL terminated as required + /* The ast_copy_pj_str to uri is needed because it puts the NULL terminator to the uri + * as pjsip_parse_uri require a NULL terminated uri */ - uri = refer_to->hvalue.ptr; - uri[refer_to->hvalue.slen] = '\0'; - target = pjsip_parse_uri(rdata->tp_info.pool, refer_to->hvalue.ptr, refer_to->hvalue.slen, 0); + uri_size = pj_strlen(&refer_to->hvalue) + 1; + uri = ast_alloca(uri_size); + ast_copy_pj_str(uri, &refer_to->hvalue, uri_size); + + target = pjsip_parse_uri(rdata->tp_info.pool, uri, uri_size - 1, 0); + if (!target || (!PJSIP_URI_SCHEME_IS_SIP(target) && !PJSIP_URI_SCHEME_IS_SIPS(target))) { - size_t uri_size = pj_strlen(&refer_to->hvalue) + 1; - char *uri = ast_alloca(uri_size); - - ast_copy_pj_str(uri, &refer_to->hvalue, uri_size); pjsip_dlg_respond(session->inv_session->dlg, rdata, 400, NULL, NULL, NULL); ast_debug(3, "Received a REFER without a parseable Refer-To ('%s') on channel '%s' from endpoint '%s'\n", |