diff options
author | Mark Michelson <mmichelson@digium.com> | 2015-09-10 09:49:45 -0500 |
---|---|---|
committer | Mark Michelson <mmichelson@digium.com> | 2015-09-10 09:55:00 -0500 |
commit | f1a2e82d49813b83ca9577938305ee6ccbb0c9c5 (patch) | |
tree | 3a5710c747ab1596c8af8d1585dc1ce3fa90b3c0 /res/res_pjsip.c | |
parent | be3f52a1227bf9cd4dbbb2553661ff6ed1d95c9c (diff) |
res_pjsip: Copy default_from_user to avoid crash.
The default_from_user retrieval function was pulling the
default_from_user from the global configuration struct in an unsafe way.
If using a database as a backend configuration store, the global
configuration struct is short-lived, so grabbing a pointer from it
results in referencing freed memory.
The fix here is to copy the default_from_user value out of the global
configuration struct.
Thanks go to John Hardin for discovering this problem and proposing the
patch on which this fix is based.
ASTERISK-25390 #close
Reported by Mark Michelson
Change-Id: I6b96067a495c1259da768f4012d44e03e7c6148c
Diffstat (limited to 'res/res_pjsip.c')
-rw-r--r-- | res/res_pjsip.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/res/res_pjsip.c b/res/res_pjsip.c index 4af886b4b..3e93b6f32 100644 --- a/res/res_pjsip.c +++ b/res/res_pjsip.c @@ -2338,9 +2338,11 @@ static int sip_dialog_create_from(pj_pool_t *pool, pj_str_t *from, const char *u pjsip_sip_uri *sip_uri; pjsip_transport_type_e type = PJSIP_TRANSPORT_UNSPECIFIED; int local_port; + char default_user[PJSIP_MAX_URL_SIZE]; if (ast_strlen_zero(user)) { - user = ast_sip_get_default_from_user(); + ast_sip_get_default_from_user(default_user, sizeof(default_user)); + user = default_user; } /* Parse the provided target URI so we can determine what transport it will end up using */ |