[pjsip] Patch for crash in pjsua2 pj2Str()

Nick Dowell nick at nickdowell.com
Thu Jun 1 11:52:59 EDT 2017

When passed a pj_str_t with a negative slen, pj2Str() results in an
(uncaught) exception being thrown by the std::string constructor.

The fix is very simple - check that the slen is valid.

diff --git a/pjsip/src/pjsua2/util.hpp b/pjsip/src/pjsua2/util.hpp
index ae72af63..1563fc0f 100644
--- a/pjsip/src/pjsua2/util.hpp
+++ b/pjsip/src/pjsua2/util.hpp
@@ -36,7 +36,7 @@ inline pj_str_t str2Pj(const string &input_str)
 inline string pj2Str(const pj_str_t &input_str)
-    if (input_str.ptr)
+    if (input_str.ptr && 0 < input_str.slen)
 	return string(input_str.ptr, input_str.slen);
     return string();

For us this crash was occurring when calling pj::Call::getInfo() upon
receiving a call, and more specifically it was pj::CallInfo::fromPj()
that was calling pj2Str() with a bad string.

Further investigation revealed that is was the local_contact string
that was the problem.

We encountered this issue when adding support for Flexisip's push
notification functionality, which requires the device token or 
registration id to be sent as part of the contact header [1]

This causes a problem for PJSIP because pjsua_call_info uses a small
fixed-size buffer (128 bytes) to store local_contact, and is not
large enough to store the contact headers required by Flexisip's push
notification mechanism.

I also noticed that pjsua_call_get_info() checks for negative slen 
when processing remote_contact but does not do so for local_contact. 
It may be worth revising this, or increasing the buffer size, but 
since the patch to pj2Str() has resolved our issues I have not taken 
this further.

Also it is not obvious that pjsip_uri_print() can return a negative
value, its documentation simply states "Returns: Length printed" so 
this could be considered a bug in pjsip_uri_print()

[1] - https://wiki.linphone.org/xwiki/wiki/public/view/Flexisip/Configuration/#HConfiguringLinphoneiOS

More information about the pjsip mailing list