diff options
author | George Joseph <gjoseph@digium.com> | 2018-02-06 10:28:49 -0700 |
---|---|---|
committer | George Joseph <gjoseph@digium.com> | 2018-02-21 08:14:47 -0700 |
commit | de871515ba06e3c3e6343a09652d3079c3706215 (patch) | |
tree | 4d7e51b85f690468758804dab17f69746a37a4dc /res | |
parent | c53d8dcb68751f499df31f0c07c3be7ccd02fa68 (diff) |
AST-2018-005: Fix tdata leaks when calling pjsip_endpt_send_response(2)
pjsip_distributor:
authenticate() creates a tdata and uses it to send a challenge or
failure response. When pjsip_endpt_send_response2() succeeds, it
automatically decrements the tdata ref count but when it fails, it
doesn't. Since we weren't checking for a return status, we weren't
decrementing the count ourselves on error and were therefore leaking
tdatas.
res_pjsip_session:
session_reinvite_on_rx_request wasn't decrementing the ref count
if an error happened while sending a 491 response.
pre_session_setup wasn't decrementing the ref count if
while sending an error after a pjsip_inv_verify_request failure.
res_pjsip:
ast_sip_send_response wasn't decrementing the ref count on error.
ASTERISK-27618
Reported By: Sandro Gauci
Change-Id: Iab33a6c7b6fba96148ed465b690ba8534ac961bf
Diffstat (limited to 'res')
-rw-r--r-- | res/res_pjsip.c | 8 | ||||
-rw-r--r-- | res/res_pjsip/pjsip_distributor.c | 8 | ||||
-rw-r--r-- | res/res_pjsip_session.c | 8 |
3 files changed, 19 insertions, 5 deletions
diff --git a/res/res_pjsip.c b/res/res_pjsip.c index 79e6cc20b..df4dd47c6 100644 --- a/res/res_pjsip.c +++ b/res/res_pjsip.c @@ -4722,9 +4722,15 @@ static void supplement_outgoing_response(pjsip_tx_data *tdata, struct ast_sip_en int ast_sip_send_response(pjsip_response_addr *res_addr, pjsip_tx_data *tdata, struct ast_sip_endpoint *sip_endpoint) { + pj_status_t status; + supplement_outgoing_response(tdata, sip_endpoint); + status = pjsip_endpt_send_response(ast_sip_get_pjsip_endpoint(), res_addr, tdata, NULL, NULL); + if (status != PJ_SUCCESS) { + pjsip_tx_data_dec_ref(tdata); + } - return pjsip_endpt_send_response(ast_sip_get_pjsip_endpoint(), res_addr, tdata, NULL, NULL); + return status == PJ_SUCCESS ? 0 : -1; } int ast_sip_send_stateful_response(pjsip_rx_data *rdata, pjsip_tx_data *tdata, struct ast_sip_endpoint *sip_endpoint) diff --git a/res/res_pjsip/pjsip_distributor.c b/res/res_pjsip/pjsip_distributor.c index c239c1a79..33d4bced2 100644 --- a/res/res_pjsip/pjsip_distributor.c +++ b/res/res_pjsip/pjsip_distributor.c @@ -854,7 +854,9 @@ static pj_bool_t authenticate(pjsip_rx_data *rdata) case AST_SIP_AUTHENTICATION_CHALLENGE: /* Send the 401 we created for them */ ast_sip_report_auth_challenge_sent(endpoint, rdata, tdata); - pjsip_endpt_send_response2(ast_sip_get_pjsip_endpoint(), rdata, tdata, NULL, NULL); + if (pjsip_endpt_send_response2(ast_sip_get_pjsip_endpoint(), rdata, tdata, NULL, NULL) != PJ_SUCCESS) { + pjsip_tx_data_dec_ref(tdata); + } return PJ_TRUE; case AST_SIP_AUTHENTICATION_SUCCESS: /* See note in endpoint_lookup about not holding an unnecessary write lock */ @@ -867,7 +869,9 @@ static pj_bool_t authenticate(pjsip_rx_data *rdata) case AST_SIP_AUTHENTICATION_FAILED: log_failed_request(rdata, "Failed to authenticate", 0, 0); ast_sip_report_auth_failed_challenge_response(endpoint, rdata); - pjsip_endpt_send_response2(ast_sip_get_pjsip_endpoint(), rdata, tdata, NULL, NULL); + if (pjsip_endpt_send_response2(ast_sip_get_pjsip_endpoint(), rdata, tdata, NULL, NULL) != PJ_SUCCESS) { + pjsip_tx_data_dec_ref(tdata); + } return PJ_TRUE; case AST_SIP_AUTHENTICATION_ERROR: log_failed_request(rdata, "Error to authenticate", 0, 0); diff --git a/res/res_pjsip_session.c b/res/res_pjsip_session.c index 5a9134bc7..fcd190bcb 100644 --- a/res/res_pjsip_session.c +++ b/res/res_pjsip_session.c @@ -1865,7 +1865,9 @@ static pj_bool_t session_reinvite_on_rx_request(pjsip_rx_data *rdata) /* Otherwise this is a new re-invite, so reject it */ if (pjsip_dlg_create_response(dlg, rdata, 491, NULL, &tdata) == PJ_SUCCESS) { - pjsip_endpt_send_response2(ast_sip_get_pjsip_endpoint(), rdata, tdata, NULL, NULL); + if (pjsip_endpt_send_response2(ast_sip_get_pjsip_endpoint(), rdata, tdata, NULL, NULL) != PJ_SUCCESS) { + pjsip_tx_data_dec_ref(tdata); + } } return PJ_TRUE; @@ -2855,7 +2857,9 @@ static pjsip_inv_session *pre_session_setup(pjsip_rx_data *rdata, const struct a if (pjsip_inv_verify_request(rdata, &options, NULL, NULL, ast_sip_get_pjsip_endpoint(), &tdata) != PJ_SUCCESS) { if (tdata) { - pjsip_endpt_send_response2(ast_sip_get_pjsip_endpoint(), rdata, tdata, NULL, NULL); + if (pjsip_endpt_send_response2(ast_sip_get_pjsip_endpoint(), rdata, tdata, NULL, NULL) != PJ_SUCCESS) { + pjsip_tx_data_dec_ref(tdata); + } } else { pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 500, NULL, NULL, NULL); } |