diff options
author | Richard Mudgett <rmudgett@digium.com> | 2015-02-17 15:31:46 +0000 |
---|---|---|
committer | Richard Mudgett <rmudgett@digium.com> | 2015-02-17 15:31:46 +0000 |
commit | 6d3fcfc3c2f49b3909b7ae0ebb74d99e2fedbb65 (patch) | |
tree | 8238044471bb69f8a8ae40eeeb41a3af3771b9da /res/res_pjsip_messaging.c | |
parent | 562b7bf6f09d9ea5ac8e20575d87f4e892609c20 (diff) |
res_pjsip_refer: Fix crash from a REFER and BYE collision.
Analyzing a one-off crash on a busy system showed that processing a REFER
request had a NULL session channel pointer. The only way I can think of
that could cause this is if an outgoing BYE transaction overlapped the
incoming REFER transaction in a collision. Asterisk sends a BYE while the
phone sends a REFER to complete an attended transfer.
* Made check the session channel pointer before processing an incoming
REFER request in res_pjsip_refer.
* Fixed similar crash potential for res_pjsip supplement incoming request
processing for res_pjsip_sdp_rtp INFO, res_pjsip_caller_id INVITE/UPDATE,
res_pjsip_messaging MESSAGE, and res_pjsip_send_to_voicemail REFER
messages.
* Made res_pjsip_messaging respond to a message body too large with a 413
instead of ignoring it.
ASTERISK-24700 #close
Reported by: Zane Conkle
Review: https://reviewboard.asterisk.org/r/4417/
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/13@431898 65c4cc65-6c06-0410-ace0-fbb531ad65f3
Diffstat (limited to 'res/res_pjsip_messaging.c')
-rw-r--r-- | res/res_pjsip_messaging.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/res/res_pjsip_messaging.c b/res/res_pjsip_messaging.c index 04332996a..813090816 100644 --- a/res/res_pjsip_messaging.c +++ b/res/res_pjsip_messaging.c @@ -681,10 +681,14 @@ static int incoming_in_dialog_request(struct ast_sip_session *session, struct pj char buf[MAX_BODY_SIZE]; enum pjsip_status_code code; struct ast_frame f; - pjsip_dialog *dlg = session->inv_session->dlg; pjsip_transaction *tsx = pjsip_rdata_get_tsx(rdata); + if (!session->channel) { + send_response(rdata, PJSIP_SC_NOT_FOUND, dlg, tsx); + return 0; + } + if ((code = check_content_type(rdata)) != PJSIP_SC_OK) { send_response(rdata, code, dlg, tsx); return 0; @@ -692,6 +696,7 @@ static int incoming_in_dialog_request(struct ast_sip_session *session, struct pj if (print_body(rdata, buf, sizeof(buf)-1) < 1) { /* invalid body size */ + send_response(rdata, PJSIP_SC_REQUEST_ENTITY_TOO_LARGE, dlg, tsx); return 0; } |