<p>Joshua Colp has uploaded this change for <strong>review</strong>.</p><p><a href="https://gerrit.asterisk.org/8320">View Change</a></p><pre style="font-family: monospace,monospace; white-space: pre-wrap;">AST-2018-004: Restrict the number of Accept headers in a SUBSCRIBE.<br><br>When receiving a SUBSCRIBE request the Accept headers from it are<br>stored locally. This operation has a fixed limit of 32 Accept headers<br>but this limit was not enforced. As a result it was possible for<br>memory outside of the allocated space to get written to resulting<br>in a crash.<br><br>This change enforces the limit so only 32 Accept headers are<br>processed.<br><br>ASTERISK-27640<br>Reported By: Sandro Gauci<br><br>Change-Id: I99a814b10b554b13a6021ccf41111e5bc95e7301<br>---<br>M res/res_pjsip_pubsub.c<br>1 file changed, 3 insertions(+), 2 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">git pull ssh://gerrit.asterisk.org:29418/asterisk refs/changes/20/8320/1</pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">diff --git a/res/res_pjsip_pubsub.c b/res/res_pjsip_pubsub.c<br>index bf187d7..b541093 100644<br>--- a/res/res_pjsip_pubsub.c<br>+++ b/res/res_pjsip_pubsub.c<br>@@ -732,10 +732,11 @@<br> char accept[AST_SIP_MAX_ACCEPT][64];<br> size_t num_accept_headers = 0;<br> <br>- while ((accept_header = pjsip_msg_find_hdr(rdata->msg_info.msg, PJSIP_H_ACCEPT, accept_header->next))) {<br>+ while ((accept_header = pjsip_msg_find_hdr(rdata->msg_info.msg, PJSIP_H_ACCEPT, accept_header->next)) &&<br>+ (num_accept_headers < AST_SIP_MAX_ACCEPT)) {<br> int i;<br> <br>- for (i = 0; i < accept_header->count; ++i) {<br>+ for (i = 0; i < accept_header->count && num_accept_headers < AST_SIP_MAX_ACCEPT; ++i) {<br> if (!exceptional_accept(&accept_header->values[i])) {<br> ast_copy_pj_str(accept[num_accept_headers], &accept_header->values[i], sizeof(accept[num_accept_headers]));<br> ++num_accept_headers;<br></pre><p>To view, visit <a href="https://gerrit.asterisk.org/8320">change 8320</a>. To unsubscribe, visit <a href="https://gerrit.asterisk.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.asterisk.org/8320"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: asterisk </div>
<div style="display:none"> Gerrit-Branch: 15.2 </div>
<div style="display:none"> Gerrit-MessageType: newchange </div>
<div style="display:none"> Gerrit-Change-Id: I99a814b10b554b13a6021ccf41111e5bc95e7301 </div>
<div style="display:none"> Gerrit-Change-Number: 8320 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: Joshua Colp <jcolp@digium.com> </div>