<p>Joshua Colp <strong>merged</strong> this change.</p><p><a href="https://gerrit.asterisk.org/8318">View Change</a></p><div style="white-space:pre-wrap">Approvals:
  Jenkins2: Verified
  Joshua Colp: Looks good to me, approved; Approved for Submit

</div><pre style="font-family: monospace,monospace; white-space: pre-wrap;">AST-2018-004: Restrict the number of Accept headers in a SUBSCRIBE.<br><br>When receiving a SUBSCRIBE request the Accept headers from it are<br>stored locally. This operation has a fixed limit of 32 Accept headers<br>but this limit was not enforced. As a result it was possible for<br>memory outside of the allocated space to get written to resulting<br>in a crash.<br><br>This change enforces the limit so only 32 Accept headers are<br>processed.<br><br>ASTERISK-27640<br>Reported By: Sandro Gauci<br><br>Change-Id: I99a814b10b554b13a6021ccf41111e5bc95e7301<br>---<br>M res/res_pjsip_pubsub.c<br>1 file changed, 3 insertions(+), 2 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">diff --git a/res/res_pjsip_pubsub.c b/res/res_pjsip_pubsub.c<br>index ba89d04..a6be41c 100644<br>--- a/res/res_pjsip_pubsub.c<br>+++ b/res/res_pjsip_pubsub.c<br>@@ -732,10 +732,11 @@<br>      char accept[AST_SIP_MAX_ACCEPT][64];<br>  size_t num_accept_headers = 0;<br> <br>-    while ((accept_header = pjsip_msg_find_hdr(rdata->msg_info.msg, PJSIP_H_ACCEPT, accept_header->next))) {<br>+       while ((accept_header = pjsip_msg_find_hdr(rdata->msg_info.msg, PJSIP_H_ACCEPT, accept_header->next)) &&<br>+               (num_accept_headers < AST_SIP_MAX_ACCEPT)) {<br>               int i;<br> <br>-            for (i = 0; i < accept_header->count; ++i) {<br>+           for (i = 0; i < accept_header->count && num_accept_headers < AST_SIP_MAX_ACCEPT; ++i) {<br>                      if (!exceptional_accept(&accept_header->values[i])) {<br>                          ast_copy_pj_str(accept[num_accept_headers], &accept_header->values[i], sizeof(accept[num_accept_headers]));<br>                            ++num_accept_headers;<br></pre><p>To view, visit <a href="https://gerrit.asterisk.org/8318">change 8318</a>. To unsubscribe, visit <a href="https://gerrit.asterisk.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.asterisk.org/8318"/><meta itemprop="name" content="View Change"/></div></div>

<div style="display:none"> Gerrit-Project: asterisk </div>
<div style="display:none"> Gerrit-Branch: 14.7 </div>
<div style="display:none"> Gerrit-MessageType: merged </div>
<div style="display:none"> Gerrit-Change-Id: I99a814b10b554b13a6021ccf41111e5bc95e7301 </div>
<div style="display:none"> Gerrit-Change-Number: 8318 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: Joshua Colp <jcolp@digium.com> </div>
<div style="display:none"> Gerrit-Reviewer: Jenkins2 </div>
<div style="display:none"> Gerrit-Reviewer: Joshua Colp <jcolp@digium.com> </div>