Fixed ticket #959: Assertion upon receiving malformed SIP messages (thanks Andrey Kovalenko for the report)

 - transaction checks for the method before processing incoming ACK request
 - transport layer checks the validity of status code in the response
 - added SIPP scenario to reproduce the bad ACK request


git-svn-id: http://svn.pjsip.org/repos/pjproject/trunk@2915 74dad513-b988-da41-8d7b-12977e46ad98

2 files changed, 17 insertions, 0 deletions

diff --git a/pjsip/src/pjsip/sip_transaction.c b/pjsip/src/pjsip/sip_transaction.c
index 7008670a..e7e2347b 100644
--- a/pjsip/src/pjsip/sip_transaction.c
+++ b/pjsip/src/pjsip/sip_transaction.c
@@ -2840,6 +2840,15 @@ static pj_status_t tsx_on_state_completed_uas( pjsip_transaction *tsx,
 
 	    /* Process incoming ACK request. */
 
+	    /* Verify that this is an INVITE transaction */
+	    if (tsx->method.id != PJSIP_INVITE_METHOD) {
+		PJ_LOG(2, (tsx->obj_name, 
+			   "Received illegal ACK for %.*s transaction",
+			   (int)tsx->method.name.slen,
+			   tsx->method.name.ptr));
+		return PJSIP_EINVALIDMETHOD;
+	    }
+
 	    /* Cease retransmission. */
 	    if (tsx->retransmit_timer.id != 0) {
 		pjsip_endpt_cancel_timer(tsx->endpt, &tsx->retransmit_timer);
diff --git a/pjsip/src/pjsip/sip_transport.c b/pjsip/src/pjsip/sip_transport.c
index f34699be..b6e79183 100644
--- a/pjsip/src/pjsip/sip_transport.c
+++ b/pjsip/src/pjsip/sip_transport.c
@@ -1439,6 +1439,14 @@ PJ_DEF(pj_ssize_t) pjsip_tpmgr_receive_packet( pjsip_tpmgr *mgr,
 	    if (rdata->msg_info.via->rport_param == 0) {
 		rdata->msg_info.via->rport_param = rdata->pkt_info.src_port;
 	    }
+	} else {
+	    /* Drop malformed responses */
+	    if (rdata->msg_info.msg->line.status.code < 100 ||
+		rdata->msg_info.msg->line.status.code >= 700)
+	    {
+		mgr->on_rx_msg(mgr->endpt, PJSIP_EINVALIDSTATUS, rdata);
+		goto finish_process_fragment;
+	    }
 	}
 
 	/* Drop response message if it has more than one Via.