rtpengine: fix late negociation detection of rtpengine_manage()

When a reply is received, do not look into the request if it has body, since that could lead to headers parsing in pkg - that might leak. Thanks go to @bogdan-iancu for spotting the issue (cherry picked from commit 06f7297)
OpenSIPS · Jul 21, 2020 · 4f60391 · 4f60391
1 parent 89b79ce
commit 4f60391
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 17 deletions.
diff --git a/modules/rtpengine/rtpengine.c b/modules/rtpengine/rtpengine.c
@@ -2342,7 +2342,6 @@ rtpengine_manage(struct sip_msg *msg, str *flags, pv_spec_t *spvar,
 	int nosdp;
 	int op = OP_ANSWER;
 	struct cell *t;
-	struct sip_msg req;
 
 	if(msg->cseq==NULL && ((parse_headers(msg, HDR_CSEQ_F, 0)==-1)
 				|| (msg->cseq==NULL)))
@@ -2368,14 +2367,24 @@ rtpengine_manage(struct sip_msg *msg, str *flags, pv_spec_t *spvar,
 		nosdp = parse_sdp(msg)?0:1;
 
 	if(msg->first_line.type == SIP_REQUEST) {
-		if(method==METHOD_ACK && nosdp==0)
-			return rtpengine_offer_answer(msg, flags, spvar, bpvar, body, OP_ANSWER);
-		if(method==METHOD_UPDATE && nosdp==0)
-			return rtpengine_offer_answer(msg, flags, spvar, bpvar, body, OP_OFFER);
-		if(method==METHOD_INVITE && nosdp==0) {
-			if(route_type==FAILURE_ROUTE)
-				return rtpengine_delete(msg, flags, spvar);
-			return rtpengine_offer_answer(msg, flags, spvar, bpvar, body, OP_OFFER);
+		if(nosdp==0) {
+			switch (method) {
+				case METHOD_ACK:
+					op = OP_ANSWER;
+					break;
+				case METHOD_INVITE:
+					if(route_type==FAILURE_ROUTE)
+						return rtpengine_delete(msg, flags, spvar);
+					/* fall through */
+				case METHOD_UPDATE:
+					op = OP_OFFER;
+					break;
+				default:
+					return -1;
+			}
+			return rtpengine_offer_answer(msg, flags, spvar, bpvar, body, op);
+		} else if (method==METHOD_INVITE) {
+			msg->msg_flags |= FL_BODY_NO_SDP;
 		}
 	} else if(msg->first_line.type == SIP_REPLY) {
 		if(msg->first_line.u.reply.statuscode>=300)
@@ -2385,14 +2394,8 @@ rtpengine_manage(struct sip_msg *msg, str *flags, pv_spec_t *spvar,
 				return rtpengine_offer_answer(msg, flags, spvar, bpvar, body, OP_ANSWER);
 			if (tmb.t_gett != NULL) {
 				t = tmb.t_gett();
-				if(t && t != T_UNDEFINED) {
-					/* dup the request so that we don't overlap with other
-					 * replies that might parse the request in the same time */
-					req = *t->uas.request;
-					if (!msg_has_sdp(&req))
-						op = OP_OFFER;
-					free_sip_body(req.body);
-				}
+				if(t && t != T_UNDEFINED && t->uas.request->msg_flags & FL_BODY_NO_SDP)
+					op = OP_OFFER;
 			}
 			/* op defaults to OP_ANSWER */
 			return rtpengine_offer_answer(msg, flags, spvar, bpvar, body, op);

diff --git a/parser/msg_parser.h b/parser/msg_parser.h
@@ -121,6 +121,7 @@ enum request_method {
                                       * either in failure route or resume 
                                       * route */
 #define FL_TM_REPLICATED	 (1<<19) /* message received due to a tm replication */
+#define FL_BODY_NO_SDP       (1<<20) /* message does not have an SDP body */
 
 /* define the # of unknown URI parameters to parse */
 #define URI_MAX_U_PARAMS 10