Skip to content

Prevent crash when pjsip_inv_verify_request3() return error #4503

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Prevent crash when pjsip_inv_verify_request3() return error #4503

wants to merge 2 commits into from

Conversation

trengginas
Copy link
Member

The pjsip_inv_verify_request3() method will initialize the return argument(p_tdata) to NULL

pjproject/pjsip/src/pjsip-ua/sip_inv.c

Line 1268 in 77b3657

if (p_tdata) *p_tdata = NULL;

So, it might crash here if pjsip_inv_verify_request3() returns error and p_tdata is still not set.

pjproject/pjsip/src/pjsua-lib/pjsua_call.c

Lines 1397 to 1399 in 77b3657

if (response)
err_code = (*response)->msg->line.status.code;
else

This patch will check for the return argument to prevent the crash.

@trengginas trengginas added this to the release-2.16 milestone Jul 10, 2025
@trengginas trengginas self-assigned this Jul 10, 2025
Copilot
Copilot AI reviewed Jul 10, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR prevents a potential null-dereference in verify_request by using a temporary response pointer and only accessing it after verifying it's non-NULL.

  • Introduces a local pjsip_tx_data *resp initialized to NULL
  • Changes the pjsip_inv_verify_request3 call to use &resp
  • Updates error handling to check resp before reading status and assign back to *response
Comments suppressed due to low confidence (2)

pjsip/src/pjsua-lib/pjsua_call.c:1382

  • [nitpick] The variable name resp is somewhat vague. Consider renaming it to tmp_resp or tx_data_resp to make its purpose clearer.
        pjsip_tx_data *resp = NULL;

pjsip/src/pjsua-lib/pjsua_call.c:1391

  • Add a unit or integration test that simulates a failure in pjsip_inv_verify_request3 to verify both branches: when resp remains NULL and when it is set, ensuring the new checks prevent crashes as intended.
                                           pjsua_var.endpt, &resp);

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@sauwming sauwming sauwming approved these changes

@nanangizz nanangizz nanangizz approved these changes

Assignees

@trengginas trengginas

Labels
component: pjsua-lib type: bug
Projects
None yet
Milestone
release-2.16
Development

Successfully merging this pull request may close these issues.
3 participants
@trengginas @sauwming @nanangizz