From f3f5b45d5792aadb555eabbe6ca1f1924b22bbe5 Mon Sep 17 00:00:00 2001
From: Richard Mudgett <rmudgett@digium.com>
Date: Mon, 10 Aug 2015 18:23:02 -0500
Subject: [PATCH] res_pjsip.c: Fix crash from corrupt saved SUBSCRIBE message.

If the saved SUBSCRIBE message is not parseable for whatever reason then
Asterisk could crash when libpjsip tries to parse the message and adds an
error message to the parse error list.

* Made ast_sip_create_rdata() initialize the parse error rdata list.  The
list is checked after parsing to see that it remains empty for the
function to return successful.

ASTERISK-25306
Reported by Mark Michelson

Change-Id: Ie0677f69f707503b1a37df18723bd59418085256
---
 res/res_pjsip.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/res/res_pjsip.c b/res/res_pjsip.c
index 25a35c0c80..04e16c4153 100644
--- a/res/res_pjsip.c
+++ b/res/res_pjsip.c
@@ -2645,6 +2645,12 @@ int ast_sip_create_rdata(pjsip_rx_data *rdata, char *packet, const char *src_nam
 {
 	pj_str_t tmp;
 
+	/*
+	 * Initialize the error list in case there is a parse error
+	 * in the given packet.
+	 */
+	pj_list_init(&rdata->msg_info.parse_err);
+
 	rdata->tp_info.transport = PJ_POOL_ZALLOC_T(rdata->tp_info.pool, pjsip_transport);
 	if (!rdata->tp_info.transport) {
 		return -1;
@@ -2655,7 +2661,7 @@ int ast_sip_create_rdata(pjsip_rx_data *rdata, char *packet, const char *src_nam
 	rdata->pkt_info.src_port = src_port;
 
 	pjsip_parse_rdata(packet, strlen(packet), rdata);
-	if (!rdata->msg_info.msg) {
+	if (!rdata->msg_info.msg || !pj_list_empty(&rdata->msg_info.parse_err)) {
 		return -1;
 	}
 
-- 
GitLab