chan_sip: Fix crash when accessing RURI before initiating outgoing call

Attempting to access ${CHANNEL(ruri)} in a pre-dial handler before initiating an outgoing call will cause Asterisk to crash. This is because a null field is accessed, resulting in an offset from null and subsequent memory access violation. Since RURI is not guaranteed to exist, we now check if the base pointer is non-null before calculating an offset. ASTERISK-29772 Change-Id: Icd3b02f07256bbe6615854af5717074087b95a83
asterisk · Dec 13, 2021 · 97f4001 · 97f4001
1 parent b64e894
commit 97f4001
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/channels/sip/dialplan_functions.c b/channels/sip/dialplan_functions.c
@@ -166,8 +166,12 @@ int sip_acf_channel_read(struct ast_channel *chan, const char *funcname, char *p
 	} else if (!strcasecmp(args.param, "uri")) {
 		ast_copy_string(buf, p->uri, buflen);
 	} else if (!strcasecmp(args.param, "ruri")) {
-		char *tmpruri = REQ_OFFSET_TO_STR(&p->initreq, rlpart2);
-		ast_copy_string(buf, tmpruri, buflen);
+		if (p->initreq.data) {
+			char *tmpruri = REQ_OFFSET_TO_STR(&p->initreq, rlpart2);
+			ast_copy_string(buf, tmpruri, buflen);
+		} else {
+			return -1;
+		}
 	} else if (!strcasecmp(args.param, "useragent")) {
 		ast_copy_string(buf, p->useragent, buflen);
 	} else if (!strcasecmp(args.param, "peername")) {