<p>Joshua Colp has uploaded this change for <strong>review</strong>.</p><p><a href="https://gerrit.asterisk.org/8319">View Change</a></p><pre style="font-family: monospace,monospace; white-space: pre-wrap;">AST-2018-004: Restrict the number of Accept headers in a SUBSCRIBE.<br><br>When receiving a SUBSCRIBE request the Accept headers from it are<br>stored locally. This operation has a fixed limit of 32 Accept headers<br>but this limit was not enforced. As a result it was possible for<br>memory outside of the allocated space to get written to resulting<br>in a crash.<br><br>This change enforces the limit so only 32 Accept headers are<br>processed.<br><br>ASTERISK-27640<br>Reported By: Sandro Gauci<br><br>Change-Id: I99a814b10b554b13a6021ccf41111e5bc95e7301<br>---<br>M res/res_pjsip_pubsub.c<br>1 file changed, 3 insertions(+), 2 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">git pull ssh://gerrit.asterisk.org:29418/asterisk refs/changes/19/8319/1</pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">diff --git a/res/res_pjsip_pubsub.c b/res/res_pjsip_pubsub.c<br>index 0ceccf5..9b45df5 100644<br>--- a/res/res_pjsip_pubsub.c<br>+++ b/res/res_pjsip_pubsub.c<br>@@ -786,10 +786,11 @@<br>     char accept[AST_SIP_MAX_ACCEPT][64];<br>  size_t num_accept_headers = 0;<br> <br>-    while ((accept_header = pjsip_msg_find_hdr(rdata->msg_info.msg, PJSIP_H_ACCEPT, accept_header->next))) {<br>+       while ((accept_header = pjsip_msg_find_hdr(rdata->msg_info.msg, PJSIP_H_ACCEPT, accept_header->next)) &&<br>+               (num_accept_headers < AST_SIP_MAX_ACCEPT)) {<br>               int i;<br> <br>-            for (i = 0; i < accept_header->count; ++i) {<br>+           for (i = 0; i < accept_header->count && num_accept_headers < AST_SIP_MAX_ACCEPT; ++i) {<br>                      if (!exceptional_accept(&accept_header->values[i])) {<br>                          ast_copy_pj_str(accept[num_accept_headers], &accept_header->values[i], sizeof(accept[num_accept_headers]));<br>                            ++num_accept_headers;<br></pre><p>To view, visit <a href="https://gerrit.asterisk.org/8319">change 8319</a>. To unsubscribe, visit <a href="https://gerrit.asterisk.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.asterisk.org/8319"/><meta itemprop="name" content="View Change"/></div></div>

<div style="display:none"> Gerrit-Project: asterisk </div>
<div style="display:none"> Gerrit-Branch: 15 </div>
<div style="display:none"> Gerrit-MessageType: newchange </div>
<div style="display:none"> Gerrit-Change-Id: I99a814b10b554b13a6021ccf41111e5bc95e7301 </div>
<div style="display:none"> Gerrit-Change-Number: 8319 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: Joshua Colp <jcolp@digium.com> </div>