[Asterisk-code-review] AST-2018-004: Restrict the number of Accept headers in a SUB... (asterisk[13.19])

Joshua Colp asteriskteam at digium.com
Wed Feb 21 10:37:33 CST 2018 

Joshua Colp has submitted this change and it was merged. ( https://gerrit.asterisk.org/8316 )

Change subject: AST-2018-004: Restrict the number of Accept headers in a SUBSCRIBE.
......................................................................

AST-2018-004: Restrict the number of Accept headers in a SUBSCRIBE.

When receiving a SUBSCRIBE request the Accept headers from it are
stored locally. This operation has a fixed limit of 32 Accept headers
but this limit was not enforced. As a result it was possible for
memory outside of the allocated space to get written to resulting
in a crash.

This change enforces the limit so only 32 Accept headers are
processed.

ASTERISK-27640
Reported By: Sandro Gauci

Change-Id: I99a814b10b554b13a6021ccf41111e5bc95e7301
---
M res/res_pjsip_pubsub.c
1 file changed, 3 insertions(+), 2 deletions(-)

Approvals:
  Jenkins2: Verified
  Joshua Colp: Looks good to me, approved; Approved for Submit



diff --git a/res/res_pjsip_pubsub.c b/res/res_pjsip_pubsub.c
index 36d70dc..6a89ed3 100644
--- a/res/res_pjsip_pubsub.c
+++ b/res/res_pjsip_pubsub.c
@@ -732,10 +732,11 @@
 	char accept[AST_SIP_MAX_ACCEPT][64];
 	size_t num_accept_headers = 0;
 
-	while ((accept_header = pjsip_msg_find_hdr(rdata->msg_info.msg, PJSIP_H_ACCEPT, accept_header->next))) {
+	while ((accept_header = pjsip_msg_find_hdr(rdata->msg_info.msg, PJSIP_H_ACCEPT, accept_header->next)) &&
+		(num_accept_headers < AST_SIP_MAX_ACCEPT)) {
 		int i;
 
-		for (i = 0; i < accept_header->count; ++i) {
+		for (i = 0; i < accept_header->count && num_accept_headers < AST_SIP_MAX_ACCEPT; ++i) {
 			if (!exceptional_accept(&accept_header->values[i])) {
 				ast_copy_pj_str(accept[num_accept_headers], &accept_header->values[i], sizeof(accept[num_accept_headers]));
 				++num_accept_headers;

-- 
To view, visit https://gerrit.asterisk.org/8316
To unsubscribe, visit https://gerrit.asterisk.org/settings

Gerrit-Project: asterisk
Gerrit-Branch: 13.19
Gerrit-MessageType: merged
Gerrit-Change-Id: I99a814b10b554b13a6021ccf41111e5bc95e7301
Gerrit-Change-Number: 8316
Gerrit-PatchSet: 1
Gerrit-Owner: Joshua Colp <jcolp at digium.com>
Gerrit-Reviewer: Jenkins2
Gerrit-Reviewer: Joshua Colp <jcolp at digium.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-code-review/attachments/20180221/868c3a52/attachment.html>

More information about the asterisk-code-review mailing list