From 45b7b474aca2a4213a0f4ef06debb17a30d60b2d Mon Sep 17 00:00:00 2001
From: Matthew Jordan <mjordan@digium.com>
Date: Mon, 6 Oct 2014 00:31:48 +0000
Subject: res_pjsip: Prevent crashes when PJPROJECT presents an rdata with no
 message

When a message that exceeds the PJ_MAX_PKT_SIZE is sent over a reliable
transport, it is possible (although it shouldn't occur) for pjproject to pass
up an rdata object with a NULL msg in the msg_info. Needless to say, things
that attempt to dereference this are in for a rough ride.

In particular, this caused crashes in three different locations, all of which
are 'low level' enough to intercept an rdata object early in processing:

(1) res_pjsip_logger
(2) res_hep_pjsip
(3) res_pjsip/distributor

Anything that can intercept an rdata object before res_pjsip/distributor should
be defensive when looking at the received packet.

#SIPit31

ASTERISK-24369 #close
Reported by: Matt Jordan
........

Merged revisions 424618 from http://svn.asterisk.org/svn/asterisk/branches/12
........

Merged revisions 424619 from http://svn.asterisk.org/svn/asterisk/branches/13


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@424620 65c4cc65-6c06-0410-ace0-fbb531ad65f3
---
 res/res_hep_pjsip.c               | 8 ++++++--
 res/res_pjsip/pjsip_distributor.c | 4 ++++
 res/res_pjsip_logger.c            | 4 ++++
 3 files changed, 14 insertions(+), 2 deletions(-)

(limited to 'res')

diff --git a/res/res_hep_pjsip.c b/res/res_hep_pjsip.c
index 254028b95..333719de0 100644
--- a/res/res_hep_pjsip.c
+++ b/res/res_hep_pjsip.c
@@ -121,8 +121,12 @@ static pj_bool_t logging_on_rx_msg(pjsip_rx_data *rdata)
 		return PJ_SUCCESS;
 	}
 
-	pj_sockaddr_print(&rdata->tp_info.transport->local_addr, local_buf, sizeof(local_buf), 3);
-	pj_sockaddr_print(&rdata->pkt_info.src_addr, remote_buf, sizeof(remote_buf), 3);
+	if (rdata->tp_info.transport->addr_len) {
+		pj_sockaddr_print(&rdata->tp_info.transport->local_addr, local_buf, sizeof(local_buf), 3);
+	}
+	if (rdata->pkt_info.src_addr_len) {
+		pj_sockaddr_print(&rdata->pkt_info.src_addr, remote_buf, sizeof(remote_buf), 3);
+	}
 
 	uuid = assign_uuid(&rdata->msg_info.cid->id, &rdata->msg_info.to->tag, &rdata->msg_info.from->tag);
 	if (!uuid) {
diff --git a/res/res_pjsip/pjsip_distributor.c b/res/res_pjsip/pjsip_distributor.c
index 69cbed784..c829db787 100644
--- a/res/res_pjsip/pjsip_distributor.c
+++ b/res/res_pjsip/pjsip_distributor.c
@@ -100,6 +100,10 @@ static pjsip_dialog *find_dialog(pjsip_rx_data *rdata)
 	pj_str_t *local_tag;
 	pj_str_t *remote_tag;
 
+	if (!rdata->msg_info.msg) {
+		return NULL;
+	}
+
 	if (rdata->msg_info.msg->type == PJSIP_REQUEST_MSG) {
 		local_tag = &rdata->msg_info.to->tag;
 		remote_tag = &rdata->msg_info.from->tag;
diff --git a/res/res_pjsip_logger.c b/res/res_pjsip_logger.c
index e1c404489..320bb0301 100644
--- a/res/res_pjsip_logger.c
+++ b/res/res_pjsip_logger.c
@@ -121,6 +121,10 @@ static pj_bool_t logging_on_rx_msg(pjsip_rx_data *rdata)
 		return PJ_FALSE;
 	}
 
+	if (!rdata->msg_info.msg) {
+		return PJ_FALSE;
+	}
+
 	ast_verbose("<--- Received SIP %s (%d bytes) from %s:%s:%d --->\n%s\n",
 		    rdata->msg_info.msg->type == PJSIP_REQUEST_MSG ? "request" : "response",
 		    rdata->msg_info.len,
-- 
cgit v1.2.3