diff options
author | Ivan Poddubny <ivan.poddubny@gmail.com> | 2015-05-23 12:36:18 +0300 |
---|---|---|
committer | Ivan Poddubny <ivan.poddubny@gmail.com> | 2015-05-23 05:18:53 -0500 |
commit | 554bd1e39c704a20226c1f8573fe30a327e9ae98 (patch) | |
tree | d6bbd44f7ae5fcc0becbf4907cd7dc671dcd80d1 /res/res_pjsip_transport_websocket.c | |
parent | eaabc4d04c9c4ebca1a4d04b5e9e6a36cc0b764b (diff) |
res_pjsip_transport_websocket: Fix crash on receiving large SIP packets
Incoming SIP packets larger than PJSIP_MAX_PKT_LEN were themselves
truncated before passing to pjsip_tpmgr_receive_packet, but the length
was passed unaltered, thus causing memory corruption and segfault.
ASTERISK-25122 #close
Change-Id: I608a6b6b7f229eacc33a0a7d771d18e27e5b08ab
Diffstat (limited to 'res/res_pjsip_transport_websocket.c')
-rw-r--r-- | res/res_pjsip_transport_websocket.c | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/res/res_pjsip_transport_websocket.c b/res/res_pjsip_transport_websocket.c index 94902d65b..ab8c9c3e4 100644 --- a/res/res_pjsip_transport_websocket.c +++ b/res/res_pjsip_transport_websocket.c @@ -197,12 +197,13 @@ static int transport_read(void *data) pjsip_rx_data *rdata = &newtransport->rdata; int recvd; pj_str_t buf; + int pjsip_pkt_len; pj_gettimeofday(&rdata->pkt_info.timestamp); - pj_memcpy(rdata->pkt_info.packet, read_data->payload, - PJSIP_MAX_PKT_LEN < read_data->payload_len ? PJSIP_MAX_PKT_LEN : read_data->payload_len); - rdata->pkt_info.len = read_data->payload_len; + pjsip_pkt_len = PJSIP_MAX_PKT_LEN < read_data->payload_len ? PJSIP_MAX_PKT_LEN : read_data->payload_len; + pj_memcpy(rdata->pkt_info.packet, read_data->payload, pjsip_pkt_len); + rdata->pkt_info.len = pjsip_pkt_len; rdata->pkt_info.zero = 0; pj_sockaddr_parse(pj_AF_UNSPEC(), 0, pj_cstr(&buf, ast_sockaddr_stringify(ast_websocket_remote_address(session))), &rdata->pkt_info.src_addr); |