kenmirrors/asterisk
1
0
Fork 0
mirror of https://github.com/asterisk/asterisk.git synced 2025-09-03 03:20:57 +00:00
Code Issues Packages Projects Releases Wiki Activity

res_pjsip_transport_websocket: Fix crash on receiving large SIP packets

Browse Source 
Incoming SIP packets larger than PJSIP_MAX_PKT_LEN were themselves
truncated before passing to pjsip_tpmgr_receive_packet, but the length
was passed unaltered, thus causing memory corruption and segfault.

ASTERISK-25122 #close

Change-Id: I608a6b6b7f229eacc33a0a7d771d18e27e5b08ab
This commit is contained in:
Ivan Poddubny
2015-05-23 12:36:18 +03:00
parent f66c41e668
commit 70d54ab6c4
1 changed files with 4 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
res/res_pjsip_transport_websocket.c
View File

@@ -197,12 +197,13 @@ static int transport_read(void *data)
pjsip_rx_data *rdata = &newtransport->rdata;
int recvd;
pj_str_t buf;
int pjsip_pkt_len;
pj_gettimeofday(&rdata->pkt_info.timestamp);
pj_memcpy(rdata->pkt_info.packet, read_data->payload,
PJSIP_MAX_PKT_LEN < read_data->payload_len ? PJSIP_MAX_PKT_LEN : read_data->payload_len);
rdata->pkt_info.len = read_data->payload_len;
pjsip_pkt_len = PJSIP_MAX_PKT_LEN < read_data->payload_len ? PJSIP_MAX_PKT_LEN : read_data->payload_len;
pj_memcpy(rdata->pkt_info.packet, read_data->payload, pjsip_pkt_len);
rdata->pkt_info.len = pjsip_pkt_len;
rdata->pkt_info.zero = 0;
pj_sockaddr_parse(pj_AF_UNSPEC(), 0, pj_cstr(&buf, ast_sockaddr_stringify(ast_websocket_remote_address(session))), &rdata->pkt_info.src_addr);