[Asterisk-code-review] res pjsip transport websocket: Fix crash on receiving large ... (asterisk[13])

Matt Jordan asteriskteam at digium.com
Sun May 24 13:55:27 CDT 2015


Matt Jordan has submitted this change and it was merged.

Change subject: res_pjsip_transport_websocket: Fix crash on receiving large SIP packets
......................................................................


res_pjsip_transport_websocket: Fix crash on receiving large SIP packets

Incoming SIP packets larger than PJSIP_MAX_PKT_LEN were themselves
truncated before passing to pjsip_tpmgr_receive_packet, but the length
was passed unaltered, thus causing memory corruption and segfault.

ASTERISK-25122 #close

Change-Id: I608a6b6b7f229eacc33a0a7d771d18e27e5b08ab
---
M res/res_pjsip_transport_websocket.c
1 file changed, 4 insertions(+), 3 deletions(-)

Approvals:
  Matt Jordan: Looks good to me, approved; Verified
  Joshua Colp: Looks good to me, but someone else must approve



diff --git a/res/res_pjsip_transport_websocket.c b/res/res_pjsip_transport_websocket.c
index 94902d6..ab8c9c3 100644
--- a/res/res_pjsip_transport_websocket.c
+++ b/res/res_pjsip_transport_websocket.c
@@ -197,12 +197,13 @@
 	pjsip_rx_data *rdata = &newtransport->rdata;
 	int recvd;
 	pj_str_t buf;
+	int pjsip_pkt_len;
 
 	pj_gettimeofday(&rdata->pkt_info.timestamp);
 
-	pj_memcpy(rdata->pkt_info.packet, read_data->payload,
-		PJSIP_MAX_PKT_LEN < read_data->payload_len ? PJSIP_MAX_PKT_LEN : read_data->payload_len);
-	rdata->pkt_info.len = read_data->payload_len;
+	pjsip_pkt_len = PJSIP_MAX_PKT_LEN < read_data->payload_len ? PJSIP_MAX_PKT_LEN : read_data->payload_len;
+	pj_memcpy(rdata->pkt_info.packet, read_data->payload, pjsip_pkt_len);
+	rdata->pkt_info.len = pjsip_pkt_len;
 	rdata->pkt_info.zero = 0;
 
 	pj_sockaddr_parse(pj_AF_UNSPEC(), 0, pj_cstr(&buf, ast_sockaddr_stringify(ast_websocket_remote_address(session))), &rdata->pkt_info.src_addr);

-- 
To view, visit https://gerrit.asterisk.org/529
To unsubscribe, visit https://gerrit.asterisk.org/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I608a6b6b7f229eacc33a0a7d771d18e27e5b08ab
Gerrit-PatchSet: 1
Gerrit-Project: asterisk
Gerrit-Branch: 13
Gerrit-Owner: Ivan Poddubny <ivan.poddubny at gmail.com>
Gerrit-Reviewer: Joshua Colp <jcolp at digium.com>
Gerrit-Reviewer: Matt Jordan <mjordan at digium.com>



More information about the asterisk-code-review mailing list