Summary:ASTERISK-24528: res_pjsip_refer: Sending INVITE with Replaces in-dialog with invalid target causes crash
Reporter:Joshua C. Colp (jcolp)Labels:Security
Date Opened:2014-11-17 09:03:16.000-0600Date Closed:2014-11-20 09:48:11.000-0600
Versions:12.7.0 13.0.0 Frequency of
Description:The INVITE with Replaces handling within res_pjsip_refer does not currently completely handle the case where a channel may already be handled by another thread. If an off nominal case occurs the code will incorrectly hang up the channel causing the other thread handling the channel to be using an already hung up and possibly freed channel.

Much FRACKING occurs.
Comments:By: Matt Jordan (mjordan) 2014-11-17 10:43:18.994-0600

[~jcolp]: I can't recall - did we have a specific scenario in mind that caused this?

By: Joshua C. Colp (jcolp) 2014-11-17 10:48:54.938-0600

It came up during fuzz testing. It's easily reproducible with a SIPP scenario. Send a normal INVITE, have the dialplan answer/playback/whatever. Then send an INVITE with Replaces and have the Replaces not match anything. Crash.

By: Matt Jordan (mjordan) 2014-11-17 13:34:01.681-0600

Cool. We should probably have a test for this then once it goes in.

By: Joshua C. Colp (jcolp) 2014-11-17 13:45:30.008-0600

Agreed! Very doable.