Ticket #2021 (closed defect: fixed)

Opened 3 weeks ago

Last modified 3 weeks ago

Crash in getting call info with long Contact header

Reported by: nanang Owned by: bennylp
Priority: normal Milestone: release-2.7
Component: pjsua2 Version: trunk
Keywords: Cc:
Backport to 1.x milestone: Backported: no

Description

Call info structure (pjsua_call_info) uses internal buffer for storing contact info, unfortunately the buffer may be insufficient for a very long Contact header and so local_contact/remote_contact field has negative length value (as pjsip_uri_print() returning negative value when buffer is insufficient). Unfortunately, pj2Str() util in PJSUA2 does not check for such negative length and it causes crash.

So there are 3 issues here:

  1. pjsua_call_get_info() does not check negative length of local contact, while it checks remote contact and normalize the length to zero when it is negative.
  2. Docs of pjsip_uri_print() only says "Returns: Length printed", while on error it actually returns negative value.
  3. pj2Str() does not check for negative pj_str_t.slen.

Thanks Nick Dowell for the report and the patch. Original report and patch can be found here.

Change History

comment:1 Changed 3 weeks ago by nanang

  • Status changed from new to closed
  • Resolution set to fixed

In 5601:

Fix #2021: Crash in getting call info with long Contact header.

Note: See TracTickets for help on using tickets.