ASTERISK-22821: Asterisk 12-beta @r402448 pjsip sigsegv receiving SIP MESSAGE when checking Contact header

[Home]

Summary: ASTERISK-22821: Asterisk 12-beta @r402448 pjsip sigsegv receiving SIP MESSAGE when checking Contact header

Reporter: Anthony Messina (amessina) Labels:

Date Opened: 2013-11-03 04:48:27.000-0600 Date Closed: 2013-11-12 10:46:04.000-0600

Priority: Major Regression?

Status: Closed/Complete Components: Resources/res_pjsip_messaging

Versions: 12.0.0-beta1 Frequency of
Occurrence Constant

Related
Issues:

Environment: Fedora 19 x86_64, compiled Asterisk and PJSIP from source. Attachments: ( 0) asterisk-12-r402448-PJSIP_HEADER-read-Contact-sigsegv.txt
( 1) asterisk-12-r402448-pjsip-message-sigsegv.txt

Description: Asterisk dumps core when receiving a PJSIP SIP MESSAGE from a CSipCimple client. The issue appears when Asterisk attempts to check for a Contact header in the incoming MESSAGE (in res/res_pjsip_messaging.c):
{code}
/* contact header */
if ((size = pjsip_hdr_print_on(pjsip_msg_find_hdr(rdata->msg_info.msg, PJSIP_H_CONTACT, NULL), buf, sizeof(buf)-1)) > 0) {
buf[size] = '\0';
CHECK_RES(ast_msg_set_var(msg, "SIP_FULLCONTACT", buf));
}
{code}

It may well be that CSipSimple is sending a bad Contact header, but it shouldn't cause Asterisk/PJSIP to bail. I am contacting the CSipSimple developers to ask about their Contact header.

If I replace the above snippet with the following, SIP MESSAGEs are processed properly (though I don't know C and I'm not sure this will do what it's supposed to):

{code}
/* new contact header */
pjsip_contact_hdr *contact_hdr;
contact_hdr = (pjsip_contact_hdr*)
pjsip_msg_find_hdr(rdata->msg_info.msg, PJSIP_H_CONTACT, NULL);
if (contact_hdr) {
buf[size] = '\0';
CHECK_RES(ast_msg_set_var(msg, "SIP_FULLCONTACT", buf));
}
{code}

I will attach a backtrace showing the problem.

Comments: By: Anthony Messina (amessina) 2013-11-03 04:49:06.162-0600

Backtrace
By: Anthony Messina (amessina) 2013-11-03 05:22:04.820-0600

Here is my initial request for information to the CSipSimple developers: https://groups.google.com/forum/#!topic/csipsimple-dev/JBbdIiVJ29Q
By: Anthony Messina (amessina) 2013-11-03 08:05:40.592-0600

According to the lead developer of CSipSimple,

{quote}
OK, seems contact header is not allowed to MESSAGE request
http://www.ietf.org/rfc/rfc3428.txt
Section 9/10.
So I think that asterisk server should not search for this header in MESSAGE at all.... and that it's even expected that *all* standard sip client should make current asterisk code crash when sending a message (as standard client should not include contact header).
{quote}

So perhaps thatcheck for a Contact header should be removed.

I should note however, that I get a very similar core dump when I try to read the Contact header using the PJSIP_HEADER function (but that's a separate issue...)
By: Anthony Messina (amessina) 2013-11-03 08:48:13.127-0600

Here is a little more information on Contact header NOT belonging in MESSAGE: https://code.google.com/p/mobicents/issues/detail?id=1687
By: Matt Jordan (mjordan) 2013-11-04 11:43:50.154-0600

Agreed, we shouldn't rely on the presence of the Contact header in a MESSAGE request.
By: Anthony Messina (amessina) 2013-11-04 20:19:02.202-0600

Thanks, Matt. After working with this overnight, it seems like there may be a larger issue here. Whether or not Asterisk should check for the Contact header is one thing, but after verifying that CSipSimple doesn't send a Contact header, the question arises why is Asterisk dumping core when searching for a PJSIP header that isn't there. A similar issue arises when using the PJSIP_HEADER function. It may be related to using PJSIP_HEADER on the Message/ast_msg_channel. I have more testing to do, but I also see the SIGSEGV when trying to read other headers using PJSIP_HEADER. I'll attach a backtrace of what I'm talking about.
By: Anthony Messina (amessina) 2013-11-04 20:20:14.146-0600

SIGSEGV when using PJSIP_HEADER function to read Contact header on Message/ast_msg_queue channel
By: Kevin Harwell (kharwell) 2013-11-12 10:48:55.084-0600

In the messaging case it is correct that the contact header should not be checked. Removing the offending code fixed the problem.

For the PJSIP_HEADER case it was attempting to dereference a null private channel tech pointer. I put in some null checks to guard against this.

However, since this bug was found along side the messaging bug, I suspect you were attempting to use the PJSIP_HEADER dialplan function to set items before calling the "MessageSend" application. Since these messages are "out of dialog" there is no associated channel technology so PJSIP_HEADER function cannot be used here. However there exists a MESSAGE function (https://wiki.asterisk.org/wiki/display/AST/Asterisk+12+Function_MESSAGE) that is used for this and can be used instead.