[Home]

Summary:ASTERISK-28936: res_pjsip: crash when dialing non-sip uri
Reporter:Walter Doekes (wdoekes)Labels:
Date Opened:2020-06-05 04:00:37Date Closed:2020-06-08 09:44:27
Priority:MinorRegression?No
Status:Closed/CompleteComponents:Resources/res_pjsip
Versions:13.33.0 Frequency of
Occurrence		Frequent
Related
Issues:
Environment:Attachments:
Description:{noformat}
*CLI> channel originate PJSIP/bob/tel:123 application Wait
Segmentation fault
{noformat}
(Note that this does not always crash, because it depends on reading out-of-bounds mem.)

BT:
{noformat}
(gdb) bt
#0  __strncasecmp_l_avx () at ../sysdeps/x86_64/multiarch/strcmp-sse42.S:198
#1  0x00007ffff78e7c37 in pj_stricmp (str1=str1@entry=0x7fff88009228, str2=str2@entry=0x7fffa158b7f0 <x_name>) at ../include/pj/string_i.h:222
#2  0x00007ffff784fdbd in pjsip_param_find (param_list=param_list@entry=0x7fff88009210, name=name@entry=0x7fffa158b7f0 <x_name>) at ../src/pjsip/sip_uri.c:38
#3  0x00007fffa134bac3 in ast_sip_get_transport_name (endpoint=endpoint@entry=0x555555dde150, sip_uri=0x7fff88009188, buf=buf@entry=0x7fff9e842700 "", buf_len=buf_len@entry=128) at res_pjsip.c:3102
#4  0x00007fffa134bbcf in ast_sip_set_tpselector_from_ep_or_uri (endpoint=endpoint@entry=0x555555dde150, sip_uri=<optimized out>, selector=selector@entry=0x7fff9e842830) at res_pjsip.c:3272
#5  0x00007fffa134bc5c in ast_sip_dlg_set_transport (endpoint=endpoint@entry=0x555555dde150, dlg=0x7fff88008c38, selector=selector@entry=0x7fff9e842830) at res_pjsip.c:3130
#6  0x00007fffa134bdfd in ast_sip_create_dialog_uac (endpoint=endpoint@entry=0x555555dde150, uri=uri@entry=0x7fff9e842ba4 "tekl:123@bob", request_user=request_user@entry=0x0) at res_pjsip.c:3347
{noformat}
{noformat}
(gdb) up
#1  0x00007ffff78e7c37 in pj_stricmp (str1=str1@entry=0x7fff88009228, str2=str2@entry=0x7fffa158b7f0 <x_name>) at ../include/pj/string_i.h:222
222 int res = pj_ansi_strnicmp(str1->ptr, str2->ptr, min);
(gdb) print *str1
$1 = {ptr = 0x13 <error: Cannot access memory at address 0x13>, slen = 140737346742117}
{noformat}
The problem is in {{ast_sip_dlg_set_transport()}}. It assumes that the dlg->target is a {{pjsip_sip_uri}}, while it can also be a {{pjsip_other_uri}}:
{code}
pjsip_dialog *ast_sip_create_dialog_uac(const struct ast_sip_endpoint *endpoint,
       const char *uri, const char *request_user)
{
...
       res = pjsip_dlg_create_uac(pjsip_ua_instance(), &local_uri, NULL, &remote_uri, &target_uri, &dlg);
...

       /* We have to temporarily bump up the sess_count here so the dialog is not prematurely destroyed */
       dlg->sess_count++;

       ast_sip_dlg_set_transport(endpoint, dlg, &selector);

       if (sip_dialog_create_from(dlg->pool, &local_uri, endpoint->fromuser, endpoint->fromdomain, &remote_uri, &selector)) {
{code}
And:
{code}
int ast_sip_dlg_set_transport(const struct ast_sip_endpoint *endpoint, pjsip_dialog *dlg,
       pjsip_tpselector *selector)
{
       pjsip_sip_uri *uri;
       pjsip_tpselector sel = { .type = PJSIP_TPSELECTOR_NONE, };

       uri = pjsip_uri_get_uri(dlg->target);  // <-- invalid "dynamic" cast to pjsip_sip_uri
{code}
{{pjsip_dlg_create_uac()}} will initialize {{dlg->target}}, but it's not guaranteed to be a pjsip_sip_uri.

After the cast in {{ast_sip_dlg_set_transport}}, {{ast_sip_set_tpselector_from_ep_or_uri}} reads out of bounds memory. (Memory that a pjsip_sip_uri would own, but a pjsip_other_uri does not.)

Result: crash.

Possible fix:
{noformat}
--- a/res/res_pjsip.c
+++ b/res/res_pjsip.c
@@ -3327,6 +3327,11 @@ pjsip_dialog *ast_sip_create_dialog_uac(const struct ast_sip_endpoint *endpoint,
       pj_cstr(&target_uri, uri);

       res = pjsip_dlg_create_uac(pjsip_ua_instance(), &local_uri, NULL, &remote_uri, &target_uri, &dlg);
+       if (res == PJ_SUCCESS && (!PJSIP_URI_SCHEME_IS_SIP(dlg->target) && !PJSIP_URI_SCHEME_IS_SIPS(dlg->target))) {
+               /* dlg->target is not a pjsip_sip_uri but a pjsip_other_uri;
+                * but we don't expect those below. Fail now. */
+               res = PJSIP_EINVALIDURI;
+       }
       if (res != PJ_SUCCESS) {
               if (res == PJSIP_EINVALIDURI) {
                       ast_log(LOG_ERROR,
{noformat}
^- I'll put this on gerrit
Comments:By: Asterisk Team (asteriskteam) 2020-06-05 04:00:38.645-0500

Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution.

A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report.

Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process].

Please note that once your issue enters an open state it has been accepted. As Asterisk is an open source project there is no guarantee or timeframe on when your issue will be looked into. If you need expedient resolution you will need to find and pay a suitable developer. Asking for an update on your issue will not yield any progress on it and will not result in a response. All updates are posted to the issue when they occur.
By: Friendly Automation (friendly-automation) 2020-06-08 09:44:28.919-0500

Change 14498 merged by Friendly Automation:
pjsip: Prevent invalid memory access when attempting to contact a non-sip URI

[https://gerrit.asterisk.org/c/asterisk/+/14498|https://gerrit.asterisk.org/c/asterisk/+/14498]
By: Friendly Automation (friendly-automation) 2020-06-08 09:45:25.302-0500

Change 14502 merged by Friendly Automation:
pjsip: Prevent invalid memory access when attempting to contact a non-sip URI

[https://gerrit.asterisk.org/c/asterisk/+/14502|https://gerrit.asterisk.org/c/asterisk/+/14502]
By: Friendly Automation (friendly-automation) 2020-06-08 09:52:54.645-0500

Change 14499 merged by Friendly Automation:
pjsip: Prevent invalid memory access when attempting to contact a non-sip URI

[https://gerrit.asterisk.org/c/asterisk/+/14499|https://gerrit.asterisk.org/c/asterisk/+/14499]
By: Friendly Automation (friendly-automation) 2020-06-08 10:52:16.452-0500

Change 14500 merged by Joshua Colp:
pjsip: Prevent invalid memory access when attempting to contact a non-sip URI

[https://gerrit.asterisk.org/c/asterisk/+/14500|https://gerrit.asterisk.org/c/asterisk/+/14500]