res_pjsip: Copy default_from_user to avoid crash.

The default_from_user retrieval function was pulling the default_from_user from the global configuration struct in an unsafe way. If using a database as a backend configuration store, the global configuration struct is short-lived, so grabbing a pointer from it results in referencing freed memory. The fix here is to copy the default_from_user value out of the global configuration struct. Thanks go to John Hardin for discovering this problem and proposing the patch on which this fix is based. ASTERISK-25390 #close Reported by Mark Michelson Change-Id: I6b96067a495c1259da768f4012d44e03e7c6148c
author: Mark Michelson <mmichelson@digium.com> 2015-09-10 09:49:45 -0500
committer: Mark Michelson <mmichelson@digium.com> 2015-09-10 09:55:00 -0500
commit: f1a2e82d49813b83ca9577938305ee6ccbb0c9c5 (patch)
tree: 3a5710c747ab1596c8af8d1585dc1ce3fa90b3c0 /res/res_pjsip.c
parent: be3f52a1227bf9cd4dbbb2553661ff6ed1d95c9c (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/res/res_pjsip.c b/res/res_pjsip.c
index 4af886b4b..3e93b6f32 100644
--- a/res/res_pjsip.c
+++ b/res/res_pjsip.c
@@ -2338,9 +2338,11 @@ static int sip_dialog_create_from(pj_pool_t *pool, pj_str_t *from, const char *u
 	pjsip_sip_uri *sip_uri;
 	pjsip_transport_type_e type = PJSIP_TRANSPORT_UNSPECIFIED;
 	int local_port;
+	char default_user[PJSIP_MAX_URL_SIZE];
 
 	if (ast_strlen_zero(user)) {
-		user = ast_sip_get_default_from_user();
+		ast_sip_get_default_from_user(default_user, sizeof(default_user));
+		user = default_user;
 	}
 
 	/* Parse the provided target URI so we can determine what transport it will end up using */
author	Mark Michelson <mmichelson@digium.com>	2015-09-10 09:49:45 -0500
committer	Mark Michelson <mmichelson@digium.com>	2015-09-10 09:55:00 -0500
commit	f1a2e82d49813b83ca9577938305ee6ccbb0c9c5 (patch)
tree	3a5710c747ab1596c8af8d1585dc1ce3fa90b3c0 /res/res_pjsip.c
parent	be3f52a1227bf9cd4dbbb2553661ff6ed1d95c9c (diff)