Summary:ASTERISK-07986: parse_uri can crash asterisk
Reporter:Mark Monnin (wrmem)Labels:
Date Opened:2006-10-23 19:24:00Date Closed:2006-10-23 19:53:29
Versions:Frequency of
Environment:Attachments:( 0) parse_uri_fix.patch
Description:The latest use of parse_uri may lead to Asterisk being unstable (aka core dump), due to referencing *pass without checking if it's not NULL.

Attached is a patch that fixes the problem (but may not be the most correct fix for the problem).


[Switching to Thread -1214407760 (LWP 23534)]
parse_uri (uri=0xb79ccde8 "sip::XXXX@WW.XX.YY.ZZ:5060", scheme=0x3a8665 "sip:",
   ret_name=0xb79ca99c, pass=0x0, domain=0xb79ca994, port=0xb79ca998, options=0x0)
   at chan_sip.c:2257
2257            if (*pass)
(gdb) where
#0  parse_uri (uri=0xb79ccde8 "sip:XXXX@WW.XX.YY.ZZ:5060", scheme=0x3a8665 "sip:",
   ret_name=0xb79ca99c, pass=0x0, domain=0xb79ca994, port=0xb79ca998, options=0x0)
   at chan_sip.c:2257
#1  0x00370af1 in parse_register_contact (pvt=0x8c33238, peer=0x8c1c3b0, req=0xb79d8060)
   at chan_sip.c:7706
#2  0x003921b4 in handle_request_register (p=0x8c33238, req=0xb79d8060, sin=0xb79d8050,
   e=0xb79d8285 "sip:FQDN.DOMAIN.TLD") at chan_sip.c:8205
#3  0x003a2b06 in handle_request (p=0x8c33238, req=0xb79d8060, sin=0xb79d8050,
   recount=0xb79ccde8, nounlock=0xb79ccde8) at chan_sip.c:14534
#4  0x003a54dd in sipsock_read (id=0x8c17240, fd=22, events=1, ignore=0x0)
   at chan_sip.c:14661
ASTERISK-1  0x080a070e in ast_io_wait (ioc=0x8c13c70, howlong=-1214460440) at io.c:279
ASTERISK-2  0x003a665f in do_monitor (data=0x0) at chan_sip.c:14860
ASTERISK-3  0x080eb7f5 in dummy_start (data=0x0) at utils.c:544
ASTERISK-4  0x00bd0341 in start_thread () from /lib/tls/libpthread.so.0
ASTERISK-5  0x009d26fe in clone () from /lib/tls/libc.so.6
Comments:By: Russell Bryant (russell) 2006-10-23 19:53:29

I actually just put in this same fix before pulling up the bug tracker.  Thanks, though!