[reSIProcate] crash after receiving invalid Via line
Byron Campen
bcampen at estacado.net
Fri Nov 3 15:18:01 CST 2006
Actually, this will break certain header types. An empty HFV has
meaning in some cases that is distinct from the header not being
present. The code at fault is the following:
*snip*
const Data&
SipMessage::getRFC2543TransactionId() const
{
if(!( exists(h_Vias) && header(h_Vias).front().exists(p_branch) &&
header(h_Vias).front().param(p_branch).hasMagicCookie() ) )
{
if (mRFC2543TransactionId.empty())
{
compute2543TransactionHash();
}
}
return mRFC2543TransactionId;
}
*snip*
This needs to read as follows:
*snip*
const Data&
SipMessage::getRFC2543TransactionId() const
{
if(!( exists(h_Vias) && !header(h_Vias).empty() && header
(h_Vias).front().exists(p_branch) &&
header(h_Vias).front().param(p_branch).hasMagicCookie() ) )
{
if (mRFC2543TransactionId.empty())
{
compute2543TransactionHash();
}
}
return mRFC2543TransactionId;
}
*snip*
Best regards,
Byron Campen
> Further detail & possible fix:
>
> bool
> SipMessage::exists(const HeaderBase& headerType) const
> {
> //patch for crash if Via does not contain a body:
> HeaderFieldValueList *hfvl = mHeaders[headerType.getTypeNum()];
> return (hfvl!= 0) && (!hfvl->empty()) ;
> };
>
> It looks like with the above patch the following code is now called:
>
> Transport::basicCheck(const SipMessage& msg)
> {
> resip::Data reason;
> if (msg.isExternal())
> {
> try
> {
> if (!Helper::validateMessage(msg,&reason))
> {
> InfoLog(<<"Message Failed basicCheck :" << msg.brief());
>
> And when the response is set to the wire an assertion is called:
>
> TransactionState:1666:
>
> assert(sip->exists(h_Vias));
>
>
> Will this patch work ok?
>
>
> Thanks,
>
> -Justin
>
> -----Original Message-----
> From: Justin Matthews [mailto:jmatthewsr at gmail.com]
> Sent: Friday, November 03, 2006 3:39 PM
> To: 'resiprocate-devel at list.sipfoundry.org'
> Subject: crash after receiving invalid Via line
>
> The stack is crashing when receiving a request with a via line
> equal to
> "Via: ". The actual crash occurs in SipMessage.cxx:435,
> SipMessage::getRFC2543TransactionId, when accessing the via
> header. The
> header exists in the mheaders container of the SipMessage, but it
> does not
> contain any values, so the front() call on line 435 fails.
>
> Can some initial checking be done in the MsgHeaderScanner.cxx,
> processMsgHeaderStatusLine() to drop this message?
>
> Thanks,
>
> -Justin
>
>
>
> Example request:
>
> CANCEL sip:dest at 192.168.2.31 SIP/2.0
> Via:
> From: "12345" <sip:12345 at 192.168.2.11>
> To: <sip:dest at 192.168.2.31>
> Call-ID: D71644F5-560F-44BE-AB36-F5FF7790A349 at 192.168.2.11
> Date: Fri, 03 Nov 2006 23:01:23 GMT
> CSeq: 0 CANCEL
> Contact: <sip:12345 at 192.168.2.11:5060>
> Content-Length: 0
>
>
>
>
> _______________________________________________
> resiprocate-devel mailing list
> resiprocate-devel at list.sipfoundry.org
> https://list.sipfoundry.org/mailman/listinfo/resiprocate-devel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://list.resiprocate.org/pipermail/resiprocate-devel/attachments/20061103/b6e414d7/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2369 bytes
Desc: not available
URL: <http://list.resiprocate.org/pipermail/resiprocate-devel/attachments/20061103/b6e414d7/attachment.bin>
More information about the resiprocate-devel
mailing list