Update for 15.7.4

After receiving a 200 OK with a declined stream in response to a T.38
initiated re-invite Asterisk would crash when attempting to dereference
a NULL session media object.

This patch checks to make sure the session media object is not NULL before
attempting to use it.

ASTERISK-28495
patches:
  ast-2019-004.patch submitted by Alexei Gradinari (license 5691)

Change-Id: I168f45f4da29cfe739acf87e597baa2aae7aa572

.version

@@ -1 +1 @@
-15.7.3
+15.7.4

ChangeLog

@@ -1,3 +1,24 @@
+2019-09-05 13:09 +0000  Asterisk Development Team <asteriskteam@digium.com>
+
+	* asterisk 15.7.4 Released.
+
+2019-08-20 15:05 +0000 [b49f09a292]  Alexei Gradinari <alex2grad@gmail.com> (license 5691)
+
+	* AST-2019-004 - res_pjsip_t38.c: Add NULL checks before using session media
+
+	  After receiving a 200 OK with a declined stream in response to a T.38
+	  initiated re-invite Asterisk would crash when attempting to dereference
+	  a NULL session media object.
+
+	  This patch checks to make sure the session media object is not NULL before
+	  attempting to use it.
+
+	  ASTERISK-28495
+	  patches:
+	    ast-2019-004.patch submitted by Alexei Gradinari (license 5691)
+
+	  Change-Id: I168f45f4da29cfe739acf87e597baa2aae7aa572
+
 2019-07-11 19:22 +0000  Asterisk Development Team <asteriskteam@digium.com>
 
 	* asterisk 15.7.3 Released.

asterisk-15.7.4-summary.html

@@ -1,15 +1,14 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><title>Release Summary - asterisk-15.7.3</title><h1 align="center"><a name="top">Release Summary</a></h1><h3 align="center">asterisk-15.7.3</h3><h3 align="center">Date: 2019-07-11</h3><h3 align="center">&lt;asteriskteam@digium.com&gt;</h3><hr><h2 align="center">Table of Contents</h2><ol>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><title>Release Summary - asterisk-15.7.4</title><h1 align="center"><a name="top">Release Summary</a></h1><h3 align="center">asterisk-15.7.4</h3><h3 align="center">Date: 2019-09-05</h3><h3 align="center">&lt;asteriskteam@digium.com&gt;</h3><hr><h2 align="center">Table of Contents</h2><ol>
 <li><a href="#summary">Summary</a></li>
 <li><a href="#contributors">Contributors</a></li>
 <li><a href="#closed_issues">Closed Issues</a></li>
 <li><a href="#diffstat">Diffstat</a></li>
 </ol><hr><a name="summary"><h2 align="center">Summary</h2></a><center><a href="#top">[Back to Top]</a></center><p>This release has been made to address one or more security vulnerabilities that have been identified. A security advisory document has been published for each vulnerability that includes additional information. Users of versions of Asterisk that are affected are strongly encouraged to review the advisories and determine what action they should take to protect their systems from these issues.</p><p>Security Advisories:</p><ul>
-<li><a href="http://downloads.asterisk.org/pub/security/AST-2019-002,AST-2019-003.html">AST-2019-002,AST-2019-003</a></li>
-</ul><p>The data in this summary reflects changes that have been made since the previous release, asterisk-15.7.2.</p><hr><a name="contributors"><h2 align="center">Contributors</h2></a><center><a href="#top">[Back to Top]</a></center><p>This table lists the people who have submitted code, those that have tested patches, as well as those that reported issues on the issue tracker that were resolved in this release. For coders, the number is how many of their patches (of any size) were committed into this release. For testers, the number is the number of times their name was listed as assisting with testing a patch. Finally, for reporters, the number is the number of issues that they reported that were affected by commits that went into this release.</p><table width="100%" border="0">
+<li><a href="http://downloads.asterisk.org/pub/security/AST-2019-004.html">AST-2019-004</a></li>
+</ul><p>The data in this summary reflects changes that have been made since the previous release, asterisk-15.7.3.</p><hr><a name="contributors"><h2 align="center">Contributors</h2></a><center><a href="#top">[Back to Top]</a></center><p>This table lists the people who have submitted code, those that have tested patches, as well as those that reported issues on the issue tracker that were resolved in this release. For coders, the number is how many of their patches (of any size) were committed into this release. For testers, the number is the number of times their name was listed as assisting with testing a patch. Finally, for reporters, the number is the number of issues that they reported that were affected by commits that went into this release.</p><table width="100%" border="0">
 <tr><th width="33%">Coders</th><th width="33%">Testers</th><th width="33%">Reporters</th></tr>
-<tr valign="top"><td width="33%">1 Francesco Castellano <francesco.castellano@messagenet.it><br/>1 George Joseph <gjoseph@digium.com><br/></td><td width="33%"><td width="33%">1 Gil Richard<br/>1 Gil Richard <grichard@intertalksystems.com><br/>1 Francesco Castellano <francesco.castellano@messagenet.it><br/></td></tr>
-</table><hr><a name="closed_issues"><h2 align="center">Closed Issues</h2></a><center><a href="#top">[Back to Top]</a></center><p>This is a list of all issues from the issue tracker that were closed by changes that went into this release.</p><h3>Security</h3><h4>Category: Channels/chan_sip/Interoperability</h4><a href="https://issues.asterisk.org/jira/browse/ASTERISK-28465">ASTERISK-28465</a>: Broken SDP can cause a segfault in a T.38 reINVITE<br/>Reported by: Francesco Castellano<ul>
-<li><a href="https://code.asterisk.org/code/changelog/asterisk?cs=74835b30c8263898b577d17774c9c71514d20955">[74835b30c8]</a> Francesco Castellano -- chan_sip: Handle invalid SDP answer to T.38 re-invite</li>
-</ul><br><h4>Category: Resources/res_pjsip_messaging</h4><a href="https://issues.asterisk.org/jira/browse/ASTERISK-28447">ASTERISK-28447</a>: res_pjsip_messaging: In-dialog MESSAGE with no body causes crash<br/>Reported by: Gil Richard<ul>
-<li><a href="https://code.asterisk.org/code/changelog/asterisk?cs=08cf3516c48d2c5ef510d3deb7afa0f637dd875e">[08cf3516c4]</a> George Joseph -- res_pjsip_messaging:  Check for body in in-dialog message</li>
-</ul><br><hr><a name="diffstat"><h2 align="center">Diffstat Results</h2></a><center><a href="#top">[Back to Top]</a></center><p>This is a summary of the changes to the source code that went into this release that was generated using the diffstat utility.</p><pre>0 files changed</pre><br></html>
+<tr valign="top"><td width="33%">1 Alexei Gradinari <alex2grad@gmail.com> (license 5691)<br/></td><td width="33%"><td width="33%">1 Alexei Gradinari <alex2grad@gmail.com><br/></td></tr>
+</table><hr><a name="closed_issues"><h2 align="center">Closed Issues</h2></a><center><a href="#top">[Back to Top]</a></center><p>This is a list of all issues from the issue tracker that were closed by changes that went into this release.</p><h3>Security</h3><h4>Category: Resources/res_pjsip_t38</h4><a href="https://issues.asterisk.org/jira/browse/ASTERISK-28495">ASTERISK-28495</a>: res_pjsip_t38: 200 OK with SDP answer with declined stream causes crash<br/>Reported by: Alexei Gradinari<ul>
+<li><a href="https://code.asterisk.org/code/changelog/asterisk?cs=b49f09a2929ff77e0fc08ef02238b5bc917aab08">[b49f09a292]</a> Alexei Gradinari -- AST-2019-004 - res_pjsip_t38.c: Add NULL checks before using session media</li>
+</ul><br><hr><a name="diffstat"><h2 align="center">Diffstat Results</h2></a><center><a href="#top">[Back to Top]</a></center><p>This is a summary of the changes to the source code that went into this release that was generated using the diffstat utility.</p><pre>res_pjsip_t38.c |   46 +++++++++++++++++++++++++---------------------
+1 file changed, 25 insertions(+), 21 deletions(-)</pre><br></html>

asterisk-15.7.4-summary.txt

@@ -1,8 +1,8 @@
                                 Release Summary
 
-                                asterisk-15.7.3
+                                asterisk-15.7.4
 
-                                Date: 2019-07-11
+                                Date: 2019-09-05
 
                            <asteriskteam@digium.com>
 
@@ -30,10 +30,10 @@
 
    Security Advisories:
 
-     * AST-2019-002,AST-2019-003
+     * AST-2019-004
 
    The data in this summary reflects changes that have been made since the
-   previous release, asterisk-15.7.2.
+   previous release, asterisk-15.7.3.
 
      ----------------------------------------------------------------------
 
@@ -50,10 +50,8 @@
    issues that they reported that were affected by commits that went into
    this release.
 
-   Coders                   Testers                  Reporters                
-   1 Francesco Castellano                            1 Gil Richard            
-   1 George Joseph                                   1 Gil Richard            
-                                                     1 Francesco Castellano   
+   Coders                            Testers         Reporters                
+   1 Alexei Gradinari (license 5691)                 1 Alexei Gradinari       
 
      ----------------------------------------------------------------------
 
@@ -66,20 +64,13 @@
 
   Security
 
-    Category: Channels/chan_sip/Interoperability
+    Category: Resources/res_pjsip_t38
 
-   ASTERISK-28465: Broken SDP can cause a segfault in a T.38 reINVITE
-   Reported by: Francesco Castellano
-     * [74835b30c8] Francesco Castellano -- chan_sip: Handle invalid SDP
-       answer to T.38 re-invite
-
-    Category: Resources/res_pjsip_messaging
-
-   ASTERISK-28447: res_pjsip_messaging: In-dialog MESSAGE with no body causes
-   crash
-   Reported by: Gil Richard
-     * [08cf3516c4] George Joseph -- res_pjsip_messaging: Check for body in
-       in-dialog message
+   ASTERISK-28495: res_pjsip_t38: 200 OK with SDP answer with declined stream
+   causes crash
+   Reported by: Alexei Gradinari
+     * [b49f09a292] Alexei Gradinari -- AST-2019-004 - res_pjsip_t38.c: Add
+       NULL checks before using session media
 
      ----------------------------------------------------------------------
 
@@ -90,4 +81,5 @@
    This is a summary of the changes to the source code that went into this
    release that was generated using the diffstat utility.
 
- 0 files changed
+ res_pjsip_t38.c |   46 +++++++++++++++++++++++++---------------------
+ 1 file changed, 25 insertions(+), 21 deletions(-)

res/res_pjsip_t38.c

@@ -203,7 +203,6 @@ static int t38_automatic_reject(void *obj)
 {
 	RAII_VAR(struct ast_sip_session *, session, obj, ao2_cleanup);
 	RAII_VAR(struct ast_datastore *, datastore, ast_sip_session_get_datastore(session, "t38"), ao2_cleanup);
-	struct ast_sip_session_media *session_media;
 
 	if (!datastore) {
 		return 0;
@@ -212,8 +211,7 @@ static int t38_automatic_reject(void *obj)
 	ast_debug(2, "Automatically rejecting T.38 request on channel '%s'\n",
 		session->channel ? ast_channel_name(session->channel) : "<gone>");
 
-	session_media = session->pending_media_state->default_session[AST_MEDIA_TYPE_IMAGE];
-	t38_change_state(session, session_media, datastore->data, T38_REJECTED);
+	t38_change_state(session, NULL, datastore->data, T38_REJECTED);
 	ast_sip_session_resume_reinvite(session);
 
 	return 0;
@@ -322,28 +320,37 @@ static int t38_reinvite_response_cb(struct ast_sip_session *session, pjsip_rx_da
 		int index;
 
 		session_media = session->active_media_state->default_session[AST_MEDIA_TYPE_IMAGE];
-		t38_change_state(session, session_media, state, T38_ENABLED);
+		if (!session_media) {
+			ast_log(LOG_WARNING, "Received %d response to T.38 re-invite on '%s' but no active session media\n",
+					status.code, session->channel ? ast_channel_name(session->channel) : "unknown channel");
+		} else {
+			t38_change_state(session, session_media, state, T38_ENABLED);
 
-		/* Stop all the streams in the stored away active state, they'll go back to being active once
-		 * we reinvite back.
-		 */
-		for (index = 0; index < AST_VECTOR_SIZE(&state->media_state->sessions); ++index) {
-			struct ast_sip_session_media *session_media = AST_VECTOR_GET(&state->media_state->sessions, index);
+			/* Stop all the streams in the stored away active state, they'll go back to being active once
+			 * we reinvite back.
+			 */
+			for (index = 0; index < AST_VECTOR_SIZE(&state->media_state->sessions); ++index) {
+				struct ast_sip_session_media *session_media = AST_VECTOR_GET(&state->media_state->sessions, index);
 
-			if (session_media && session_media->handler && session_media->handler->stream_stop) {
-				session_media->handler->stream_stop(session_media);
+				if (session_media && session_media->handler && session_media->handler->stream_stop) {
+					session_media->handler->stream_stop(session_media);
+				}
 			}
+
+			return 0;
 		}
 	} else {
 		session_media = session->pending_media_state->default_session[AST_MEDIA_TYPE_IMAGE];
-		t38_change_state(session, session_media, state, T38_REJECTED);
-
-		/* Abort this attempt at switching to T.38 by resetting the pending state and freeing our stored away active state */
-		ast_sip_session_media_state_free(state->media_state);
-		state->media_state = NULL;
-		ast_sip_session_media_state_reset(session->pending_media_state);
 	}
 
+	/* If no session_media then response contained a declined stream, so disable */
+	t38_change_state(session, NULL, state, session_media ? T38_REJECTED : T38_DISABLED);
+
+	/* Abort this attempt at switching to T.38 by resetting the pending state and freeing our stored away active state */
+	ast_sip_session_media_state_free(state->media_state);
+	state->media_state = NULL;
+	ast_sip_session_media_state_reset(session->pending_media_state);
+
 	return 0;
 }
 
@@ -426,12 +433,10 @@ static int t38_interpret_parameters(void *obj)
 		/* Negotiation can not take place without a valid max_ifp value. */
 		if (!parameters->max_ifp) {
 			if (data->session->t38state == T38_PEER_REINVITE) {
-				session_media = data->session->pending_media_state->default_session[AST_MEDIA_TYPE_IMAGE];
-				t38_change_state(data->session, session_media, state, T38_REJECTED);
+				t38_change_state(data->session, NULL, state, T38_REJECTED);
 				ast_sip_session_resume_reinvite(data->session);
 			} else if (data->session->t38state == T38_ENABLED) {
-				session_media = data->session->active_media_state->default_session[AST_MEDIA_TYPE_IMAGE];
-				t38_change_state(data->session, session_media, state, T38_DISABLED);
+				t38_change_state(data->session, NULL, state, T38_DISABLED);
 				ast_sip_session_refresh(data->session, NULL, NULL, NULL,
 					AST_SIP_SESSION_REFRESH_METHOD_INVITE, 1, state->media_state);
 				state->media_state = NULL;
@@ -454,6 +459,11 @@ static int t38_interpret_parameters(void *obj)
 			state->our_parms.version = MIN(state->our_parms.version, state->their_parms.version);
 			state->our_parms.rate_management = state->their_parms.rate_management;
 			session_media = data->session->pending_media_state->default_session[AST_MEDIA_TYPE_IMAGE];
+			if (!session_media) {
+				ast_log(LOG_ERROR, "Failed to negotiate parameters for reinvite on channel '%s' (No pending session media).\n",
+					data->session->channel ? ast_channel_name(data->session->channel) : "unknown channel");
+				break;
+			}
 			ast_udptl_set_local_max_ifp(session_media->udptl, state->our_parms.max_ifp);
 			t38_change_state(data->session, session_media, state, T38_ENABLED);
 			ast_sip_session_resume_reinvite(data->session);
@@ -468,8 +478,13 @@ static int t38_interpret_parameters(void *obj)
 			}
 			state->our_parms = *parameters;
 			session_media = media_state->default_session[AST_MEDIA_TYPE_IMAGE];
+			if (!session_media) {
+				ast_log(LOG_ERROR, "Failed to negotiate parameters on channel '%s' (No default session media).\n",
+					data->session->channel ? ast_channel_name(data->session->channel) : "unknown channel");
+				break;
+			}
 			ast_udptl_set_local_max_ifp(session_media->udptl, state->our_parms.max_ifp);
-			t38_change_state(data->session, session_media, state, T38_LOCAL_REINVITE);
+			t38_change_state(data->session, NULL, state, T38_LOCAL_REINVITE);
 			ast_sip_session_refresh(data->session, NULL, t38_reinvite_sdp_cb, t38_reinvite_response_cb,
 				AST_SIP_SESSION_REFRESH_METHOD_INVITE, 1, media_state);
 		}
@@ -478,12 +493,10 @@ static int t38_interpret_parameters(void *obj)
 	case AST_T38_REFUSED:
 	case AST_T38_REQUEST_TERMINATE:         /* Shutdown T38 */
 		if (data->session->t38state == T38_PEER_REINVITE) {
-			session_media = data->session->pending_media_state->default_session[AST_MEDIA_TYPE_IMAGE];
-			t38_change_state(data->session, session_media, state, T38_REJECTED);
+			t38_change_state(data->session, NULL, state, T38_REJECTED);
 			ast_sip_session_resume_reinvite(data->session);
 		} else if (data->session->t38state == T38_ENABLED) {
-			session_media = data->session->active_media_state->default_session[AST_MEDIA_TYPE_IMAGE];
-			t38_change_state(data->session, session_media, state, T38_DISABLED);
+			t38_change_state(data->session, NULL, state, T38_DISABLED);
 			ast_sip_session_refresh(data->session, NULL, NULL, NULL, AST_SIP_SESSION_REFRESH_METHOD_INVITE, 1, state->media_state);
 			state->media_state = NULL;
 		}
@@ -493,6 +506,11 @@ static int t38_interpret_parameters(void *obj)
 
 		if (data->session->t38state == T38_PEER_REINVITE) {
 			session_media = data->session->pending_media_state->default_session[AST_MEDIA_TYPE_IMAGE];
+			if (!session_media) {
+				ast_log(LOG_ERROR, "Failed to request parameters for reinvite on channel '%s' (No pending session media).\n",
+					data->session->channel ? ast_channel_name(data->session->channel) : "unknown channel");
+				break;
+			}
 			parameters.max_ifp = ast_udptl_get_far_max_ifp(session_media->udptl);
 			parameters.request_response = AST_T38_REQUEST_NEGOTIATE;
 			ast_queue_control_data(data->session->channel, AST_CONTROL_T38_PARAMETERS, &parameters, sizeof(parameters));
@@ -788,7 +806,7 @@ static int negotiate_incoming_sdp_stream(struct ast_sip_session *session,
 
 	if ((session->t38state == T38_REJECTED) || (session->t38state == T38_DISABLED)) {
 		ast_debug(3, "Declining; T.38 state is rejected or declined\n");
-		t38_change_state(session, session_media, state, T38_DISABLED);
+		t38_change_state(session, NULL, state, T38_DISABLED);
 		return 0;
 	}