From 0c1cee67db5ce5bcf02c6983f397c03da0346741 Mon Sep 17 00:00:00 2001
From: Benny Prijono <bennylp@teluu.com>
Date: Tue, 22 Sep 2009 17:56:44 +0000
Subject: Fixed ticket #959: Assertion upon receiving malformed SIP messages
 (thanks Andrey Kovalenko for the report)  - transaction checks for the method
 before processing incoming ACK request  - transport layer checks the validity
 of status code in the response  - added SIPP scenario to reproduce the bad
 ACK request

git-svn-id: http://svn.pjsip.org/repos/pjproject/trunk@2915 74dad513-b988-da41-8d7b-12977e46ad98
---
 pjsip/src/pjsip/sip_transaction.c | 9 +++++++++
 pjsip/src/pjsip/sip_transport.c   | 8 ++++++++
 2 files changed, 17 insertions(+)

(limited to 'pjsip')

diff --git a/pjsip/src/pjsip/sip_transaction.c b/pjsip/src/pjsip/sip_transaction.c
index 7008670a..e7e2347b 100644
--- a/pjsip/src/pjsip/sip_transaction.c
+++ b/pjsip/src/pjsip/sip_transaction.c
@@ -2840,6 +2840,15 @@ static pj_status_t tsx_on_state_completed_uas( pjsip_transaction *tsx,
 
 	    /* Process incoming ACK request. */
 
+	    /* Verify that this is an INVITE transaction */
+	    if (tsx->method.id != PJSIP_INVITE_METHOD) {
+		PJ_LOG(2, (tsx->obj_name, 
+			   "Received illegal ACK for %.*s transaction",
+			   (int)tsx->method.name.slen,
+			   tsx->method.name.ptr));
+		return PJSIP_EINVALIDMETHOD;
+	    }
+
 	    /* Cease retransmission. */
 	    if (tsx->retransmit_timer.id != 0) {
 		pjsip_endpt_cancel_timer(tsx->endpt, &tsx->retransmit_timer);
diff --git a/pjsip/src/pjsip/sip_transport.c b/pjsip/src/pjsip/sip_transport.c
index f34699be..b6e79183 100644
--- a/pjsip/src/pjsip/sip_transport.c
+++ b/pjsip/src/pjsip/sip_transport.c
@@ -1439,6 +1439,14 @@ PJ_DEF(pj_ssize_t) pjsip_tpmgr_receive_packet( pjsip_tpmgr *mgr,
 	    if (rdata->msg_info.via->rport_param == 0) {
 		rdata->msg_info.via->rport_param = rdata->pkt_info.src_port;
 	    }
+	} else {
+	    /* Drop malformed responses */
+	    if (rdata->msg_info.msg->line.status.code < 100 ||
+		rdata->msg_info.msg->line.status.code >= 700)
+	    {
+		mgr->on_rx_msg(mgr->endpt, PJSIP_EINVALIDSTATUS, rdata);
+		goto finish_process_fragment;
+	    }
 	}
 
 	/* Drop response message if it has more than one Via.
-- 
cgit v1.2.3