diff options
author | Matthew Jordan <mjordan@digium.com> | 2014-10-06 00:31:15 +0000 |
---|---|---|
committer | Matthew Jordan <mjordan@digium.com> | 2014-10-06 00:31:15 +0000 |
commit | 69032d62aafe68bef42f0ef2c6d14b845d461e20 (patch) | |
tree | 89f22681272f5bff9693dd323ed8a3dca9b6769b /res/res_pjsip_logger.c | |
parent | f36b64f58e1799383bf20292e90d5bc490d2ce90 (diff) |
res_pjsip: Prevent crashes when PJPROJECT presents an rdata with no message
When a message that exceeds the PJ_MAX_PKT_SIZE is sent over a reliable
transport, it is possible (although it shouldn't occur) for pjproject to pass
up an rdata object with a NULL msg in the msg_info. Needless to say, things
that attempt to dereference this are in for a rough ride.
In particular, this caused crashes in three different locations, all of which
are 'low level' enough to intercept an rdata object early in processing:
(1) res_pjsip_logger
(2) res_hep_pjsip
(3) res_pjsip/distributor
Anything that can intercept an rdata object before res_pjsip/distributor should
be defensive when looking at the received packet.
#SIPit31
ASTERISK-24369 #close
Reported by: Matt Jordan
........
Merged revisions 424618 from http://svn.asterisk.org/svn/asterisk/branches/12
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/13@424619 65c4cc65-6c06-0410-ace0-fbb531ad65f3
Diffstat (limited to 'res/res_pjsip_logger.c')
-rw-r--r-- | res/res_pjsip_logger.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/res/res_pjsip_logger.c b/res/res_pjsip_logger.c index e1c404489..320bb0301 100644 --- a/res/res_pjsip_logger.c +++ b/res/res_pjsip_logger.c @@ -121,6 +121,10 @@ static pj_bool_t logging_on_rx_msg(pjsip_rx_data *rdata) return PJ_FALSE; } + if (!rdata->msg_info.msg) { + return PJ_FALSE; + } + ast_verbose("<--- Received SIP %s (%d bytes) from %s:%s:%d --->\n%s\n", rdata->msg_info.msg->type == PJSIP_REQUEST_MSG ? "request" : "response", rdata->msg_info.len, |