diff options
| author | Joshua Colp <jcolp@digium.com> | 2018-02-07 14:09:14 +0000 |
|---|---|---|
| committer | Joshua Colp <jcolp@digium.com> | 2018-02-21 08:30:31 -0600 |
| commit | d424850d58a90b1640d7b3d94490eea5535637ee (patch) | |
| tree | 3eeeac17c5e156793dd682e64e35aa538164b13a /res | |
| parent | a1e6320c4a1c08d17c920b5c39ef0bb055042a4a (diff) | |
AST-2018-004: Restrict the number of Accept headers in a SUBSCRIBE.
When receiving a SUBSCRIBE request the Accept headers from it are
stored locally. This operation has a fixed limit of 32 Accept headers
but this limit was not enforced. As a result it was possible for
memory outside of the allocated space to get written to resulting
in a crash.
This change enforces the limit so only 32 Accept headers are
processed.
ASTERISK-27640
Reported By: Sandro Gauci
Change-Id: I99a814b10b554b13a6021ccf41111e5bc95e7301
Diffstat (limited to 'res')
| -rw-r--r-- | res/res_pjsip_pubsub.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/res/res_pjsip_pubsub.c b/res/res_pjsip_pubsub.c index c78f20c2b..69c256dab 100644 --- a/res/res_pjsip_pubsub.c +++ b/res/res_pjsip_pubsub.c @@ -786,10 +786,11 @@ static struct ast_sip_pubsub_body_generator *subscription_get_generator_from_rda char accept[AST_SIP_MAX_ACCEPT][64]; size_t num_accept_headers = 0; - while ((accept_header = pjsip_msg_find_hdr(rdata->msg_info.msg, PJSIP_H_ACCEPT, accept_header->next))) { + while ((accept_header = pjsip_msg_find_hdr(rdata->msg_info.msg, PJSIP_H_ACCEPT, accept_header->next)) && + (num_accept_headers < AST_SIP_MAX_ACCEPT)) { int i; - for (i = 0; i < accept_header->count; ++i) { + for (i = 0; i < accept_header->count && num_accept_headers < AST_SIP_MAX_ACCEPT; ++i) { if (!exceptional_accept(&accept_header->values[i])) { ast_copy_pj_str(accept[num_accept_headers], &accept_header->values[i], sizeof(accept[num_accept_headers])); ++num_accept_headers; |