AST-2018-004: Restrict the number of Accept headers in a SUBSCRIBE.
authorJoshua Colp <jcolp@digium.com>
Wed, 7 Feb 2018 14:09:14 +0000 (14:09 +0000)
committerJoshua Colp <jcolp@digium.com>
Wed, 21 Feb 2018 14:30:31 +0000 (08:30 -0600)
When receiving a SUBSCRIBE request the Accept headers from it are
stored locally. This operation has a fixed limit of 32 Accept headers
but this limit was not enforced. As a result it was possible for
memory outside of the allocated space to get written to resulting
in a crash.

This change enforces the limit so only 32 Accept headers are
processed.

ASTERISK-27640
Reported By: Sandro Gauci

Change-Id: I99a814b10b554b13a6021ccf41111e5bc95e7301

res/res_pjsip_pubsub.c

index c78f20c..69c256d 100644 (file)
@@ -786,10 +786,11 @@ static struct ast_sip_pubsub_body_generator *subscription_get_generator_from_rda
        char accept[AST_SIP_MAX_ACCEPT][64];
        size_t num_accept_headers = 0;
 
-       while ((accept_header = pjsip_msg_find_hdr(rdata->msg_info.msg, PJSIP_H_ACCEPT, accept_header->next))) {
+       while ((accept_header = pjsip_msg_find_hdr(rdata->msg_info.msg, PJSIP_H_ACCEPT, accept_header->next)) &&
+               (num_accept_headers < AST_SIP_MAX_ACCEPT)) {
                int i;
 
-               for (i = 0; i < accept_header->count; ++i) {
+               for (i = 0; i < accept_header->count && num_accept_headers < AST_SIP_MAX_ACCEPT; ++i) {
                        if (!exceptional_accept(&accept_header->values[i])) {
                                ast_copy_pj_str(accept[num_accept_headers], &accept_header->values[i], sizeof(accept[num_accept_headers]));
                                ++num_accept_headers;