1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
|
From 67e46c1ac45ad784db5b9080f5ed8b133c122872 Mon Sep 17 00:00:00 2001
From: sauwming <ming@teluu.com>
Date: Mon, 8 Mar 2021 17:39:36 +0800
Subject: [PATCH] Merge pull request from GHSA-8hcp-hm38-mfph
* Check hostname during TLS transport selection
* revision based on feedback
* remove the code in create_request that has been moved
---
pjsip/include/pjsip/sip_dialog.h | 1 +
pjsip/src/pjsip/sip_dialog.c | 15 +++++++++++++++
pjsip/src/pjsip/sip_transport.c | 13 +++++++++++++
pjsip/src/pjsip/sip_util.c | 11 ++++++++---
4 files changed, 37 insertions(+), 3 deletions(-)
diff --git a/pjsip/include/pjsip/sip_dialog.h b/pjsip/include/pjsip/sip_dialog.h
index a0214d28c..e314c2ece 100644
--- a/pjsip/include/pjsip/sip_dialog.h
+++ b/pjsip/include/pjsip/sip_dialog.h
@@ -165,6 +165,7 @@ struct pjsip_dialog
pjsip_route_hdr route_set; /**< Route set. */
pj_bool_t route_set_frozen; /**< Route set has been set. */
pjsip_auth_clt_sess auth_sess; /**< Client authentication session. */
+ pj_str_t initial_dest;/**< Initial destination host. */
/** Session counter. */
int sess_count; /**< Number of sessions. */
diff --git a/pjsip/src/pjsip/sip_dialog.c b/pjsip/src/pjsip/sip_dialog.c
index 27530e4f2..9571b5a35 100644
--- a/pjsip/src/pjsip/sip_dialog.c
+++ b/pjsip/src/pjsip/sip_dialog.c
@@ -467,6 +467,10 @@ pj_status_t create_uas_dialog( pjsip_user_agent *ua,
/* Save the remote info. */
pj_strdup(dlg->pool, &dlg->remote.info_str, &tmp);
+
+ /* Save initial destination host from transport's info */
+ pj_strdup(dlg->pool, &dlg->initial_dest,
+ &rdata->tp_info.transport->remote_name.host);
/* Init remote's contact from Contact header.
@@ -1192,6 +1196,12 @@ static pj_status_t dlg_create_request_throw( pjsip_dialog *dlg,
return status;
}
+ /* Copy the initial destination host to tdata. This information can be
+ * used later by transport for transport selection.
+ */
+ if (dlg->initial_dest.slen)
+ pj_strdup(tdata->pool, &tdata->dest_info.name, &dlg->initial_dest);
+
/* Done. */
*p_tdata = tdata;
@@ -1822,6 +1832,11 @@ static void dlg_update_routeset(pjsip_dialog *dlg, const pjsip_rx_data *rdata)
* transaction as the initial transaction that establishes dialog.
*/
if (dlg->role == PJSIP_ROLE_UAC) {
+ /* Save initial destination host from transport's info. */
+ if (!dlg->initial_dest.slen) {
+ pj_strdup(dlg->pool, &dlg->initial_dest,
+ &rdata->tp_info.transport->remote_name.host);
+ }
/* Ignore subsequent request from remote */
if (msg->type != PJSIP_RESPONSE_MSG)
diff --git a/pjsip/src/pjsip/sip_transport.c b/pjsip/src/pjsip/sip_transport.c
index bef6d24fe..177274b08 100644
--- a/pjsip/src/pjsip/sip_transport.c
+++ b/pjsip/src/pjsip/sip_transport.c
@@ -2335,6 +2335,19 @@ PJ_DEF(pj_status_t) pjsip_tpmgr_acquire_transport2(pjsip_tpmgr *mgr,
if (!tp_iter->tp->is_shutdown &&
!tp_iter->tp->is_destroying)
{
+ if ((type & PJSIP_TRANSPORT_SECURE) && tdata) {
+ /* For secure transport, make sure tdata's
+ * destination host matches the transport's
+ * remote host.
+ */
+ if (pj_stricmp(&tdata->dest_info.name,
+ &tp_iter->tp->remote_name.host))
+ {
+ tp_iter = tp_iter->next;
+ continue;
+ }
+ }
+
if (sel && sel->type == PJSIP_TPSELECTOR_LISTENER &&
sel->u.listener)
{
diff --git a/pjsip/src/pjsip/sip_util.c b/pjsip/src/pjsip/sip_util.c
index a1bf878ea..cf916805d 100644
--- a/pjsip/src/pjsip/sip_util.c
+++ b/pjsip/src/pjsip/sip_util.c
@@ -1417,7 +1417,10 @@ PJ_DEF(pj_status_t) pjsip_endpt_send_request_stateless(pjsip_endpoint *endpt,
*/
if (tdata->dest_info.addr.count == 0) {
/* Copy the destination host name to TX data */
- pj_strdup(tdata->pool, &tdata->dest_info.name, &dest_info.addr.host);
+ if (!tdata->dest_info.name.slen) {
+ pj_strdup(tdata->pool, &tdata->dest_info.name,
+ &dest_info.addr.host);
+ }
pjsip_endpt_resolve( endpt, tdata->pool, &dest_info, stateless_data,
&stateless_send_resolver_callback);
@@ -1810,8 +1813,10 @@ PJ_DEF(pj_status_t) pjsip_endpt_send_response( pjsip_endpoint *endpt,
}
} else {
/* Copy the destination host name to TX data */
- pj_strdup(tdata->pool, &tdata->dest_info.name,
- &res_addr->dst_host.addr.host);
+ if (!tdata->dest_info.name.slen) {
+ pj_strdup(tdata->pool, &tdata->dest_info.name,
+ &res_addr->dst_host.addr.host);
+ }
pjsip_endpt_resolve(endpt, tdata->pool, &res_addr->dst_host,
send_state, &send_response_resolver_cb);
--
2.26.2
|
