res_pjsip_transport_websocket: Fix crash on receiving large SIP packets
authorIvan Poddubny <ivan.poddubny@gmail.com>
Sat, 23 May 2015 09:36:18 +0000 (12:36 +0300)
committerIvan Poddubny <ivan.poddubny@gmail.com>
Sat, 23 May 2015 10:15:34 +0000 (13:15 +0300)
Incoming SIP packets larger than PJSIP_MAX_PKT_LEN were themselves
truncated before passing to pjsip_tpmgr_receive_packet, but the length
was passed unaltered, thus causing memory corruption and segfault.

ASTERISK-25122 #close

Change-Id: I608a6b6b7f229eacc33a0a7d771d18e27e5b08ab

res/res_pjsip_transport_websocket.c

index 70e5c2a..914c8b8 100644 (file)
@@ -197,12 +197,13 @@ static int transport_read(void *data)
        pjsip_rx_data *rdata = &newtransport->rdata;
        int recvd;
        pj_str_t buf;
+       int pjsip_pkt_len;
 
        pj_gettimeofday(&rdata->pkt_info.timestamp);
 
-       pj_memcpy(rdata->pkt_info.packet, read_data->payload,
-               PJSIP_MAX_PKT_LEN < read_data->payload_len ? PJSIP_MAX_PKT_LEN : read_data->payload_len);
-       rdata->pkt_info.len = read_data->payload_len;
+       pjsip_pkt_len = PJSIP_MAX_PKT_LEN < read_data->payload_len ? PJSIP_MAX_PKT_LEN : read_data->payload_len;
+       pj_memcpy(rdata->pkt_info.packet, read_data->payload, pjsip_pkt_len);
+       rdata->pkt_info.len = pjsip_pkt_len;
        rdata->pkt_info.zero = 0;
 
        pj_sockaddr_parse(pj_AF_UNSPEC(), 0, pj_cstr(&buf, ast_sockaddr_stringify(ast_websocket_remote_address(session))), &rdata->pkt_info.src_addr);