NetCube-Systems-Austria/kumquat-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2ae78f1c79
kumquat-buildroot/package/libpjsip/0001-Merge-pull-request-from-GHSA-26j7-ww69-c4qj.patch
Fabrice Fontaine 7ea3831685 package/libpjsip: fix CVE-2022-31031 
PJSIP is a free and open source multimedia communication library written
in C language implementing standard based protocols such as SIP, SDP,
RTP, STUN, TURN, and ICE. In versions prior to and including 2.12.1 a
stack buffer overflow vulnerability affects PJSIP users that use STUN in
their applications, either by: setting a STUN server in their
account/media config in PJSUA/PJSUA2 level, or directly using
`pjlib-util/stun_simple` API.

https://github.com/pjsip/pjproject/security/advisories/GHSA-26j7-ww69-c4qj

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2022-06-28 00:32:36 +02:00

45 lines
1.5 KiB
Diff
Raw Blame History

From 450baca94f475345542c6953832650c390889202 Mon Sep 17 00:00:00 2001
From: sauwming <ming@teluu.com>
Date: Tue, 7 Jun 2022 12:00:13 +0800
Subject: [PATCH] Merge pull request from GHSA-26j7-ww69-c4qj
[Retrieved from:
https://github.com/pjsip/pjproject/commit/450baca94f475345542c6953832650c390889202]
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
pjlib-util/src/pjlib-util/stun_simple.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/pjlib-util/src/pjlib-util/stun_simple.c b/pjlib-util/src/pjlib-util/stun_simple.c
index 722519584..d0549176d 100644
--- a/pjlib-util/src/pjlib-util/stun_simple.c
+++ b/pjlib-util/src/pjlib-util/stun_simple.c
@@ -54,6 +54,7 @@ PJ_DEF(pj_status_t) pjstun_parse_msg( void *buf, pj_size_t buf_len,
{
pj_uint16_t msg_type, msg_len;
char *p_attr;
+ int attr_max_cnt = PJ_ARRAY_SIZE(msg->attr);
PJ_CHECK_STACK();
@@ -83,7 +84,7 @@ PJ_DEF(pj_status_t) pjstun_parse_msg( void *buf, pj_size_t buf_len,
msg->attr_count = 0;
p_attr = (char*)buf + sizeof(pjstun_msg_hdr);
- while (msg_len > 0) {
+ while (msg_len > 0 && msg->attr_count < attr_max_cnt) {
pjstun_attr_hdr **attr = &msg->attr[msg->attr_count];
pj_uint32_t len;
pj_uint16_t attr_type;
@@ -111,6 +112,10 @@ PJ_DEF(pj_status_t) pjstun_parse_msg( void *buf, pj_size_t buf_len,
p_attr += len;
++msg->attr_count;
}
+ if (msg->attr_count == attr_max_cnt) {
+ PJ_LOG(4, (THIS_FILE, "Warning: max number attribute %d reached.",
+ attr_max_cnt));
+ }
return PJ_SUCCESS;
}
Reference in New Issue View Git Blame Copy Permalink