kenmirrors/asterisk
1
0
Fork 0
mirror of https://github.com/asterisk/asterisk.git synced 2025-09-02 03:02:04 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
6158cc7b8e7a360c8bda6ba9b0d90cf8d16e10b9
asterisk/third-party/pjproject/patches/0301-Merge-pull-request-from-GHSA-cxwq-5g9x-x7fr.patch
George Joseph 452e0d7258 bundled_pjproject: Backport security fixes from pjproject 2.13.1 
Merge-pull-request-from-GHSA-9pfh-r8x4-w26w.patch
Merge-pull-request-from-GHSA-cxwq-5g9x-x7fr.patch
Locking-fix-so-that-SSL_shutdown-and-SSL_write-are-n.patch
Don-t-call-SSL_shutdown-when-receiving-SSL_ERROR_SYS.patch

Resolves: #188
2023-07-05 10:05:50 -06:00

82 lines
2.1 KiB
Diff
Raw Blame History

From 5c50a482986750c83db0dee2963599b8906e6951 Mon Sep 17 00:00:00 2001
From: sauwming <ming@teluu.com>
Date: Fri, 23 Dec 2022 15:05:28 +0800
Subject: [PATCH 301/303] Merge pull request from GHSA-cxwq-5g9x-x7fr
* Fixed heap buffer overflow when parsing STUN errcode attribute
* Also fixed uint parsing
---
pjnath/src/pjnath/stun_msg.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/pjnath/src/pjnath/stun_msg.c b/pjnath/src/pjnath/stun_msg.c
index fd15230bc..d3aaae5bf 100644
--- a/pjnath/src/pjnath/stun_msg.c
+++ b/pjnath/src/pjnath/stun_msg.c
@@ -1432,26 +1432,26 @@ static pj_status_t decode_uint_attr(pj_pool_t *pool,
void **p_attr)
{
pj_stun_uint_attr *attr;
PJ_UNUSED_ARG(msghdr);
/* Create the attribute */
attr = PJ_POOL_ZALLOC_T(pool, pj_stun_uint_attr);
GETATTRHDR(buf, &attr->hdr);
- attr->value = GETVAL32H(buf, 4);
-
/* Check that the attribute length is valid */
if (attr->hdr.length != 4)
return PJNATH_ESTUNINATTRLEN;
+ attr->value = GETVAL32H(buf, 4);
+
/* Done */
*p_attr = attr;
return PJ_SUCCESS;
}
static pj_status_t encode_uint_attr(const void *a, pj_uint8_t *buf,
unsigned len,
const pj_stun_msg_hdr *msghdr,
@@ -1751,28 +1751,29 @@ static pj_status_t decode_errcode_attr(pj_pool_t *pool,
{
pj_stun_errcode_attr *attr;
pj_str_t value;
PJ_UNUSED_ARG(msghdr);
/* Create the attribute */
attr = PJ_POOL_ZALLOC_T(pool, pj_stun_errcode_attr);
GETATTRHDR(buf, &attr->hdr);
+ /* Check that the attribute length is valid */
+ if (attr->hdr.length < 4)
+ return PJNATH_ESTUNINATTRLEN;
+
attr->err_code = buf[6] * 100 + buf[7];
/* Get pointer to the string in the message */
value.ptr = ((char*)buf + ATTR_HDR_LEN + 4);
value.slen = attr->hdr.length - 4;
- /* Make sure the length is never negative */
- if (value.slen < 0)
- value.slen = 0;
/* Copy the string to the attribute */
pj_strdup(pool, &attr->reason, &value);
/* Done */
*p_attr = attr;
return PJ_SUCCESS;
}
--
2.41.0
Reference in New Issue View Git Blame Copy Permalink