Opened 8 years ago
Closed 8 years ago
#2021 closed defect (fixed)
Crash in getting call info with long Contact header
Reported by: | nanang | Owned by: | bennylp |
---|---|---|---|
Priority: | normal | Milestone: | release-2.7 |
Component: | pjsua2 | Version: | trunk |
Keywords: | Cc: | ||
Backport to 1.x milestone: | Backported: | no |
Description
Call info structure (pjsua_call_info) uses internal buffer for storing contact info, unfortunately the buffer may be insufficient for a very long Contact header and so local_contact/remote_contact field has negative length value (as pjsip_uri_print() returning negative value when buffer is insufficient). Unfortunately, pj2Str() util in PJSUA2 does not check for such negative length and it causes crash.
So there are 3 issues here:
- pjsua_call_get_info() does not check negative length of local contact, while it checks remote contact and normalize the length to zero when it is negative.
- Docs of pjsip_uri_print() only says "Returns: Length printed", while on error it actually returns negative value.
- pj2Str() does not check for negative pj_str_t.slen.
Thanks Nick Dowell for the report and the patch. Original report and patch can be found here.
Change History (1)
comment:1 Changed 8 years ago by nanang
- Resolution set to fixed
- Status changed from new to closed
Note: See
TracTickets for help on using
tickets.
In 5601: