From c6b757fa05c4c3fe1b7fa77844b9e5e3203d859f Mon Sep 17 00:00:00 2001
From: Kevin Harwell <kharwell@digium.com>
Date: Wed, 26 Apr 2017 14:20:00 -0500
Subject: [PATCH] res_pjsip/res_pjsip_callerid: NULL check on caller id name
 string

It's possible for a name in a party id structure to be marked as valid, but the
name string itself be NULL (for instance this is possible to do by using the
dialplan CALLERID function). There were a couple of places where the name was
validated, but the string itself was not checked before passing it to functions
like 'strlen'. This of course caused a crashed.

This patch adds in a NULL check before attempting to pass it into a function
that is not NULL tolerant.

ASTERISK-25823 #close

Change-Id: Iaa6ffe9d92f598fe9e3c8ae373fadbe3dfbf1d4a
---
 res/res_pjsip.c           | 12 ++++++++----
 res/res_pjsip_caller_id.c |  9 +++++++--
 2 files changed, 15 insertions(+), 6 deletions(-)

diff --git a/res/res_pjsip.c b/res/res_pjsip.c
index e4bcb70382..9de2176a65 100644
--- a/res/res_pjsip.c
+++ b/res/res_pjsip.c
@@ -4420,11 +4420,15 @@ void ast_sip_modify_id_header(pj_pool_t *pool, pjsip_fromto_hdr *id_hdr, const s
 	id_uri = pjsip_uri_get_uri(id_name_addr->uri);
 
 	if (id->name.valid) {
-		int name_buf_len = strlen(id->name.str) * 2 + 1;
-		char *name_buf = ast_alloca(name_buf_len);
+		if (!ast_strlen_zero(id->name.str)) {
+			int name_buf_len = strlen(id->name.str) * 2 + 1;
+			char *name_buf = ast_alloca(name_buf_len);
 
-		ast_escape_quoted(id->name.str, name_buf, name_buf_len);
-		pj_strdup2(pool, &id_name_addr->display, name_buf);
+			ast_escape_quoted(id->name.str, name_buf, name_buf_len);
+			pj_strdup2(pool, &id_name_addr->display, name_buf);
+		} else {
+			pj_strdup2(pool, &id_name_addr->display, NULL);
+		}
 	}
 
 	if (id->number.valid) {
diff --git a/res/res_pjsip_caller_id.c b/res/res_pjsip_caller_id.c
index 7948d33bea..470d90f43e 100644
--- a/res/res_pjsip_caller_id.c
+++ b/res/res_pjsip_caller_id.c
@@ -436,7 +436,7 @@ static pjsip_fromto_hdr *create_new_id_hdr(const pj_str_t *hdr_name, pjsip_fromt
 	id_name_addr = pjsip_uri_clone(tdata->pool, base->uri);
 	id_uri = pjsip_uri_get_uri(id_name_addr->uri);
 
-	if (id->name.valid) {
+	if (id->name.valid && !ast_strlen_zero(id->name.str)) {
 		int name_buf_len = strlen(id->name.str) * 2 + 1;
 		char *name_buf = ast_alloca(name_buf_len);
 
@@ -450,7 +450,12 @@ static pjsip_fromto_hdr *create_new_id_hdr(const pj_str_t *hdr_name, pjsip_fromt
 		pj_strdup2(tdata->pool, &id_name_addr->display, NULL);
 	}
 
-	pj_strdup2(tdata->pool, &id_uri->user, id->number.str);
+	if (id->number.valid) {
+		pj_strdup2(tdata->pool, &id_uri->user, id->number.str);
+	} else {
+		/* Similar to name, make sure the number is also cleared when invalid */
+		pj_strdup2(tdata->pool, &id_uri->user, NULL);
+	}
 
 	id_hdr->uri = (pjsip_uri *) id_name_addr;
 	return id_hdr;
-- 
GitLab