ASTERISK-27393: res_pjsip: Crash occurs when an empty contact read from astdb or database

[Home]

Summary: ASTERISK-27393: res_pjsip: Crash occurs when an empty contact read from astdb or database

Reporter: Aaron An (aaron) Labels: pjsip webrtc

Date Opened: 2017-11-05 21:25:46.000-0600 Date Closed: 2017-11-07 12:05:30.000-0600

Priority: Minor Regression?

Status: Closed/Complete Components: Resources/res_pjsip

Versions: 13.16.0 Frequency of
Occurrence Constant

Related
Issues:

Environment: CentOS6.5 X64 Attachments:

Description: I have searched other issues similar to this, for example:
ASTERISK-25970

but the crash i met is different. it can be reproduced easily by support a contact with uri="".

the backtrace:
{noformat}
(gdb) bt
#0 pjsip_url_compare (context=PJSIP_URI_IN_CONTACT_HDR, url1=0x7f7e60029f88, url2=0x0) at ../src/pjsip/sip_uri.c:400
#1 0x00007f7e3ed38737 in pjsip_uri_cmp (uri2=<optimized out>, uri1=<optimized out>, context=PJSIP_URI_IN_CONTACT_HDR)
at /home/cti-link/cti-link-webrtc/asterisk/asterisk-13.16.0/third-party/pjproject/source/pjsip/include/pjsip/sip_uri.h:287
#2 registrar_find_contact (obj=<optimized out>, arg=0x7f7e541c49b0, flags=<optimized out>) at res_pjsip_registrar.c:127
#3 0x000000000047dd3a in internal_ao2_traverse (self=0x7f7e60033fe8, flags=OBJ_SEARCH_NONE, cb_fn=0x7f7e3ed386f0 <registrar_find_contact>, arg=0x7f7e541c49b0, data=0x0, type=AO2_CALLBACK_DEFAULT,
tag=0x0, file=0x0, line=0, func=0x0) at astobj2_container.c:354
#4 0x000000000047e2de in __ao2_callback (c=0x7f7e60033fe8, flags=OBJ_SEARCH_NONE, cb_fn=0x7f7e3ed386f0 <registrar_find_contact>, arg=0x7f7e541c49b0) at astobj2_container.c:455
#5 0x00007f7e3ed39c06 in registrar_validate_contacts (deleted=<synthetic pointer>, updated=<synthetic pointer>, added=<synthetic pointer>, aor=0x7f7e60019db8, contacts=0x7f7e60033fe8,
rdata=0x7f7e6002c3a8) at res_pjsip_registrar.c:181
#6 register_aor_core (rdata=rdata@entry=0x7f7e6002c3a8, endpoint=endpoint@entry=0x7f7e60038618, aor=aor@entry=0x7f7e60019db8, aor_name=aor_name@entry=0x7f7e6001a270 "70000029023",
contacts=contacts@entry=0x7f7e60033fe8) at res_pjsip_registrar.c:342
#7 0x00007f7e3ed3bcf6 in register_aor (aor_name=0x7f7e6001a270 "70000029023", aor=0x7f7e60019db8, endpoint=0x7f7e60038618, rdata=0x7f7e6002c3a8) at res_pjsip_registrar.c:575
#8 registrar_on_rx_request (rdata=0x7f7e6002c3a8) at res_pjsip_registrar.c:760
#9 0x00007f7e8394c4b7 in pjsip_endpt_process_rx_data (endpt=<optimized out>, rdata=rdata@entry=0x7f7e6002c3a8, p=p@entry=0x7f7e56d15730 <param.24222>, p_handled=p_handled@entry=0x7f7e541c4bbc)
at ../src/pjsip/sip_endpoint.c:887
#10 0x00007f7e56adebec in distribute (data=0x7f7e6002c3a8) at res_pjsip/pjsip_distributor.c:770
#11 0x000000000071b0cd in ast_taskprocessor_execute (tps=0x2b77b50) at taskprocessor.c:965
#12 0x000000000072f92d in execute_tasks (data=0x2b77b50) at threadpool.c:1322
#13 0x000000000071b0cd in ast_taskprocessor_execute (tps=0x28bfae0) at taskprocessor.c:965
#14 0x000000000072c591 in threadpool_execute (pool=0x28c17f0) at threadpool.c:351
#15 0x000000000072ed33 in worker_active (worker=0x7f7e700009a0) at threadpool.c:1105
#16 0x000000000072e996 in worker_start (arg=0x7f7e700009a0) at threadpool.c:1024
#17 0x00000000007428d6 in dummy_start (data=0x7f7e70000ab0) at utils.c:1238
#18 0x00007f7e81de0dc5 in start_thread () from /lib64/libpthread.so.0
#19 0x00007f7e810cc6ed in clone () from /lib64/libc.so.6
{noformat}

Comments: By: Asterisk Team (asteriskteam) 2017-11-05 21:25:46.776-0600

Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution.

A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report.

Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process].
By: Aaron An (aaron) 2017-11-05 21:26:30.912-0600

I am going to submit a path for this.
By: George Joseph (gjoseph) 2017-11-06 06:41:12.519-0600

Aaron,

We may need to treat this as a security issue. Please don't post a patch to gerrit just yet.

Can you provide the exact steps needed to reproduce the issue? Configuration, a sipp xml scenario file, etc. Does the incoming packet need to be authenticated or does an unauthenticated packet cause the crash?

By: George Joseph (gjoseph) 2017-11-06 06:57:18.856-0600

OK, I'm caught up. Disregard my last comment.

By: Aaron An (aaron) 2017-11-06 21:31:34.792-0600

Hi George,
To reproduce this issue you should just config a realtime ps_contacts and return a contact with uri as empty string.

extconfig.conf:
ps_endpoints => curl,http://cti-link-realtime:8089/interface/realtime/endpoint
ps_endpoint_id_ips => curl,http://cti-link-realtime:8089/interface/realtime/identify
ps_auths => curl,http://cti-link-realtime:8089/interface/realtime/auth
ps_aors => curl,http://cti-link-realtime:8089/interface/realtime/aor
ps_contacts => curl,http://cti-link-realtime:8089/interface/realtime/contact

console log:

pbx_variables.c:508 ast_str_substitute_variables_full: Function CURL(http://cti-link-realtime:8089/interface/realtime/contact/multi,id%20LIKE=60000011001%3B%40%25) result is 'id=60000011001;@e2f4c94407c9da3c5361ddf41ae8c4a8&expiration_time=1510022741&uri=sip:60000011001@36.102.210.236:14724'

it is ok when HTTP return "uri=sip:60000011001@36.102.210.236:14724" but crash when "uri=".
By: Friendly Automation (friendly-automation) 2017-11-07 12:05:30.974-0600

Change 7096 merged by Joshua Colp:
res_pjsip: Avoid crash when contact uri is empty string

[https://gerrit.asterisk.org/7096|https://gerrit.asterisk.org/7096]
By: Friendly Automation (friendly-automation) 2017-11-07 12:09:33.693-0600

Change 6997 merged by Jenkins2:
res_pjsip: Avoid crash when contact uri is empty string

[https://gerrit.asterisk.org/6997|https://gerrit.asterisk.org/6997]
By: Friendly Automation (friendly-automation) 2017-11-08 00:15:02.245-0600

Change 7097 merged by Jenkins2:
res_pjsip: Avoid crash when contact uri is empty string

[https://gerrit.asterisk.org/7097|https://gerrit.asterisk.org/7097]