Merge pull request from GHSA-8hcp-hm38-mfph

* Check hostname during TLS transport selection * revision based on feedback * remove the code in create_request that has been moved
pjsip · Mar 8, 2021 · 67e46c1 · 67e46c1
1 parent 97b3d7a
commit 67e46c1
Show file tree

Hide file tree

Showing 4 changed files with 37 additions and 3 deletions.
diff --git a/pjsip/include/pjsip/sip_dialog.h b/pjsip/include/pjsip/sip_dialog.h
@@ -165,6 +165,7 @@ struct pjsip_dialog
     pjsip_route_hdr	route_set;  /**< Route set.			    */
     pj_bool_t		route_set_frozen; /**< Route set has been set.	    */
     pjsip_auth_clt_sess	auth_sess;  /**< Client authentication session.	    */
+    pj_str_t		initial_dest;/**< Initial destination host.  	    */
 
     /** Session counter. */
     int			sess_count; /**< Number of sessions.		    */

diff --git a/pjsip/src/pjsip/sip_dialog.c b/pjsip/src/pjsip/sip_dialog.c
@@ -467,6 +467,10 @@ pj_status_t create_uas_dialog( pjsip_user_agent *ua,
 
     /* Save the remote info. */
     pj_strdup(dlg->pool, &dlg->remote.info_str, &tmp);
+
+    /* Save initial destination host from transport's info */
+    pj_strdup(dlg->pool, &dlg->initial_dest,
+    	      &rdata->tp_info.transport->remote_name.host);
 
 
     /* Init remote's contact from Contact header.
@@ -1192,6 +1196,12 @@ static pj_status_t dlg_create_request_throw( pjsip_dialog *dlg,
 	    return status;
     }
 
+    /* Copy the initial destination host to tdata. This information can be
+     * used later by transport for transport selection.
+     */
+    if (dlg->initial_dest.slen)
+    	pj_strdup(tdata->pool, &tdata->dest_info.name, &dlg->initial_dest);
+
     /* Done. */
     *p_tdata = tdata;
 
@@ -1822,6 +1832,11 @@ static void dlg_update_routeset(pjsip_dialog *dlg, const pjsip_rx_data *rdata)
      * transaction as the initial transaction that establishes dialog.
      */
     if (dlg->role == PJSIP_ROLE_UAC) {
+    	/* Save initial destination host from transport's info. */
+    	if (!dlg->initial_dest.slen) {
+    	    pj_strdup(dlg->pool, &dlg->initial_dest,
+    	      	      &rdata->tp_info.transport->remote_name.host);
+    	}
 
 	/* Ignore subsequent request from remote */
 	if (msg->type != PJSIP_RESPONSE_MSG)

diff --git a/pjsip/src/pjsip/sip_transport.c b/pjsip/src/pjsip/sip_transport.c
@@ -2335,6 +2335,19 @@ PJ_DEF(pj_status_t) pjsip_tpmgr_acquire_transport2(pjsip_tpmgr *mgr,
 		    if (!tp_iter->tp->is_shutdown &&
 			!tp_iter->tp->is_destroying)
 		    {
+			if ((type & PJSIP_TRANSPORT_SECURE) && tdata) {
+			    /* For secure transport, make sure tdata's
+			     * destination host matches the transport's
+			     * remote host.
+			     */
+			    if (pj_stricmp(&tdata->dest_info.name,
+				  	   &tp_iter->tp->remote_name.host))
+			    {
+			    	tp_iter = tp_iter->next;
+			    	continue;
+			    }
+			}
+
 			if (sel && sel->type == PJSIP_TPSELECTOR_LISTENER &&
 			    sel->u.listener)
 			{

diff --git a/pjsip/src/pjsip/sip_util.c b/pjsip/src/pjsip/sip_util.c
@@ -1417,7 +1417,10 @@ PJ_DEF(pj_status_t) pjsip_endpt_send_request_stateless(pjsip_endpoint *endpt,
      */
     if (tdata->dest_info.addr.count == 0) {
 	/* Copy the destination host name to TX data */
-	pj_strdup(tdata->pool, &tdata->dest_info.name, &dest_info.addr.host);
+	if (!tdata->dest_info.name.slen) {
+	    pj_strdup(tdata->pool, &tdata->dest_info.name,
+	    	      &dest_info.addr.host);
+	}
 
 	pjsip_endpt_resolve( endpt, tdata->pool, &dest_info, stateless_data,
 			     &stateless_send_resolver_callback);
@@ -1810,8 +1813,10 @@ PJ_DEF(pj_status_t) pjsip_endpt_send_response( pjsip_endpoint *endpt,
 	}
     } else {
 	/* Copy the destination host name to TX data */
-	pj_strdup(tdata->pool, &tdata->dest_info.name, 
-		  &res_addr->dst_host.addr.host);
+	if (!tdata->dest_info.name.slen) {
+	    pj_strdup(tdata->pool, &tdata->dest_info.name, 
+		      &res_addr->dst_host.addr.host);
+	}
 
 	pjsip_endpt_resolve(endpt, tdata->pool, &res_addr->dst_host, 
 			    send_state, &send_response_resolver_cb);