res_pjsip_refer: Fix crash from a REFER and BYE collision.

Analyzing a one-off crash on a busy system showed that processing a REFER
request had a NULL session channel pointer.  The only way I can think of
that could cause this is if an outgoing BYE transaction overlapped the
incoming REFER transaction in a collision.  Asterisk sends a BYE while the
phone sends a REFER to complete an attended transfer.

* Made check the session channel pointer before processing an incoming
REFER request in res_pjsip_refer.

* Fixed similar crash potential for res_pjsip supplement incoming request
processing for res_pjsip_sdp_rtp INFO, res_pjsip_caller_id INVITE/UPDATE,
res_pjsip_messaging MESSAGE, and res_pjsip_send_to_voicemail REFER
messages.

* Made res_pjsip_messaging respond to a message body too large with a 413
instead of ignoring it.

ASTERISK-24700 #close
Reported by: Zane Conkle

Review: https://reviewboard.asterisk.org/r/4417/


git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/13@431898 65c4cc65-6c06-0410-ace0-fbb531ad65f3

1 files changed, 6 insertions, 1 deletions

diff --git a/res/res_pjsip_messaging.c b/res/res_pjsip_messaging.c
index 04332996a..813090816 100644
--- a/res/res_pjsip_messaging.c
+++ b/res/res_pjsip_messaging.c
@@ -681,10 +681,14 @@ static int incoming_in_dialog_request(struct ast_sip_session *session, struct pj
 	char buf[MAX_BODY_SIZE];
 	enum pjsip_status_code code;
 	struct ast_frame f;
-
 	pjsip_dialog *dlg = session->inv_session->dlg;
 	pjsip_transaction *tsx = pjsip_rdata_get_tsx(rdata);
 
+	if (!session->channel) {
+		send_response(rdata, PJSIP_SC_NOT_FOUND, dlg, tsx);
+		return 0;
+	}
+
 	if ((code = check_content_type(rdata)) != PJSIP_SC_OK) {
 		send_response(rdata, code, dlg, tsx);
 		return 0;
@@ -692,6 +696,7 @@ static int incoming_in_dialog_request(struct ast_sip_session *session, struct pj
 
 	if (print_body(rdata, buf, sizeof(buf)-1) < 1) {
 		/* invalid body size */
+		send_response(rdata, PJSIP_SC_REQUEST_ENTITY_TOO_LARGE, dlg, tsx);
 		return 0;
 	}