res_pjsip: Copy default_from_user to avoid crash.

The default_from_user retrieval function was pulling the
default_from_user from the global configuration struct in an unsafe way.
If using a database as a backend configuration store, the global
configuration struct is short-lived, so grabbing a pointer from it
results in referencing freed memory.

The fix here is to copy the default_from_user value out of the global
configuration struct.

Thanks go to John Hardin for discovering this problem and proposing the
patch on which this fix is based.

ASTERISK-25390 #close
Reported by Mark Michelson

Change-Id: I6b96067a495c1259da768f4012d44e03e7c6148c

1 files changed, 5 insertions, 8 deletions

diff --git a/res/res_pjsip/config_global.c b/res/res_pjsip/config_global.c
index b348896c8..ef706f0b3 100644
--- a/res/res_pjsip/config_global.c
+++ b/res/res_pjsip/config_global.c
@@ -182,20 +182,17 @@ unsigned int ast_sip_get_max_initial_qualify_time(void)
 	return time;
 }
 
-const char *ast_sip_get_default_from_user(void)
+void ast_sip_get_default_from_user(char *from_user, size_t size)
 {
-	const char *from_user;
 	struct global_config *cfg;
 
 	cfg = get_global_cfg();
 	if (!cfg) {
-		return DEFAULT_FROM_USER;
+		ast_copy_string(from_user, DEFAULT_FROM_USER, size);
+	} else {
+		ast_copy_string(from_user, cfg->default_from_user, size);
+		ao2_ref(cfg, -1);
 	}
-
-	from_user = cfg->default_from_user;
-	ao2_ref(cfg, -1);
-
-	return from_user;
 }
 
 /*!