Re: Patch for crash in pjsua2 pj2Str()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Nick,

Just finished investigating the report and checked in the patch (slightly modified) and additional patches, for the other related issues as described in the report, to SVN trunk for ticket https://trac.pjsip.org/repos/ticket/2021.

Thank you for such detail report and the patch.

BR,
nanang


On Thu, Jun 1, 2017 at 10:52 PM, Nick Dowell <nick@xxxxxxxxxxxxxx> wrote:
When passed a pj_str_t with a negative slen, pj2Str() results in an
(uncaught) exception being thrown by the std::string constructor.

The fix is very simple - check that the slen is valid.

diff --git a/pjsip/src/pjsua2/util.hpp b/pjsip/src/pjsua2/util.hpp
index ae72af63..1563fc0f 100644
--- a/pjsip/src/pjsua2/util.hpp
+++ b/pjsip/src/pjsua2/util.hpp
@@ -36,7 +36,7 @@ inline pj_str_t str2Pj(const string &input_str)

 inline string pj2Str(const pj_str_t &input_str)
 {
-    if (input_str.ptr)
+    if (input_str.ptr && 0 < input_str.slen)
        return string(input_str.ptr, input_str.slen);
     return string();
 }



For us this crash was occurring when calling pj::Call::getInfo() upon
receiving a call, and more specifically it was pj::CallInfo::fromPj()
that was calling pj2Str() with a bad string.

Further investigation revealed that is was the local_contact string
that was the problem.

We encountered this issue when adding support for Flexisip's push
notification functionality, which requires the device token or
registration id to be sent as part of the contact header [1]

This causes a problem for PJSIP because pjsua_call_info uses a small
fixed-size buffer (128 bytes) to store local_contact, and is not
large enough to store the contact headers required by Flexisip's push
notification mechanism.

I also noticed that pjsua_call_get_info() checks for negative slen
when processing remote_contact but does not do so for local_contact.
It may be worth revising this, or increasing the buffer size, but
since the patch to pj2Str() has resolved our issues I have not taken
this further.

Also it is not obvious that pjsip_uri_print() can return a negative
value, its documentation simply states "Returns: Length printed" so
this could be considered a bug in pjsip_uri_print()


[1] - https://wiki.linphone.org/xwiki/wiki/public/view/Flexisip/Configuration/#HConfiguringLinphoneiOS


_______________________________________________
Visit our blog: http://blog.pjsip.org

pjsip mailing list
pjsip@xxxxxxxxxxxxxxx
http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org

_______________________________________________
Visit our blog: http://blog.pjsip.org

pjsip mailing list
pjsip@xxxxxxxxxxxxxxx
http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org

[Index of Archives]     [Asterisk Users]     [Asterisk App Development]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [Linux API]
  Powered by Linux