res_pjsip.c: Fix crash from corrupt saved SUBSCRIBE message.

If the saved SUBSCRIBE message is not parseable for whatever reason then Asterisk could crash when libpjsip tries to parse the message and adds an error message to the parse error list. * Made ast_sip_create_rdata() initialize the parse error rdata list. The list is checked after parsing to see that it remains empty for the function to return successful. ASTERISK-25306 Reported by Mark Michelson Change-Id: Ie0677f69f707503b1a37df18723bd59418085256
author: Richard Mudgett <rmudgett@digium.com> 2015-08-10 18:23:02 -0500
committer: Richard Mudgett <rmudgett@digium.com> 2015-08-11 13:49:25 -0500
commit: c126afe18f9073f3ee74e45f574da421131b9fa2 (patch)
tree: 1991f4937dacffb5f118940ad0b296720a359447 /res
parent: 47d9ff1741118d5594c8500dfc5b048b5e04d8a0 (diff)
1 files changed, 7 insertions, 1 deletions
diff --git a/res/res_pjsip.c b/res/res_pjsip.c
index 405ac6838..76d013c1c 100644
--- a/res/res_pjsip.c
+++ b/res/res_pjsip.c
@@ -2649,6 +2649,12 @@ int ast_sip_create_rdata(pjsip_rx_data *rdata, char *packet, const char *src_nam
 {
 	pj_str_t tmp;
 
+	/*
+	 * Initialize the error list in case there is a parse error
+	 * in the given packet.
+	 */
+	pj_list_init(&rdata->msg_info.parse_err);
+
 	rdata->tp_info.transport = PJ_POOL_ZALLOC_T(rdata->tp_info.pool, pjsip_transport);
 	if (!rdata->tp_info.transport) {
 		return -1;
@@ -2659,7 +2665,7 @@ int ast_sip_create_rdata(pjsip_rx_data *rdata, char *packet, const char *src_nam
 	rdata->pkt_info.src_port = src_port;
 
 	pjsip_parse_rdata(packet, strlen(packet), rdata);
-	if (!rdata->msg_info.msg) {
+	if (!rdata->msg_info.msg || !pj_list_empty(&rdata->msg_info.parse_err)) {
 		return -1;
 	}
author	Richard Mudgett <rmudgett@digium.com>	2015-08-10 18:23:02 -0500
committer	Richard Mudgett <rmudgett@digium.com>	2015-08-11 13:49:25 -0500
commit	c126afe18f9073f3ee74e45f574da421131b9fa2 (patch)
tree	1991f4937dacffb5f118940ad0b296720a359447 /res
parent	47d9ff1741118d5594c8500dfc5b048b5e04d8a0 (diff)