res_pjsip: Prevent crashes when PJPROJECT presents an rdata with no message

When a message that exceeds the PJ_MAX_PKT_SIZE is sent over a reliable
transport, it is possible (although it shouldn't occur) for pjproject to pass
up an rdata object with a NULL msg in the msg_info. Needless to say, things
that attempt to dereference this are in for a rough ride.

In particular, this caused crashes in three different locations, all of which
are 'low level' enough to intercept an rdata object early in processing:

(1) res_pjsip_logger
(2) res_hep_pjsip
(3) res_pjsip/distributor

Anything that can intercept an rdata object before res_pjsip/distributor should
be defensive when looking at the received packet.

#SIPit31

ASTERISK-24369 #close
Reported by: Matt Jordan
........

Merged revisions 424618 from http://svn.asterisk.org/svn/asterisk/branches/12


git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/13@424619 65c4cc65-6c06-0410-ace0-fbb531ad65f3

1 files changed, 4 insertions, 0 deletions

diff --git a/res/res_pjsip/pjsip_distributor.c b/res/res_pjsip/pjsip_distributor.c
index 69cbed784..c829db787 100644
--- a/res/res_pjsip/pjsip_distributor.c
+++ b/res/res_pjsip/pjsip_distributor.c
@@ -100,6 +100,10 @@ static pjsip_dialog *find_dialog(pjsip_rx_data *rdata)
 	pj_str_t *local_tag;
 	pj_str_t *remote_tag;
 
+	if (!rdata->msg_info.msg) {
+		return NULL;
+	}
+
 	if (rdata->msg_info.msg->type == PJSIP_REQUEST_MSG) {
 		local_tag = &rdata->msg_info.to->tag;
 		remote_tag = &rdata->msg_info.from->tag;