]> git.ipfire.org Git - thirdparty/asterisk.git/commitdiff
res/res_pjsip_pubsub.c: Fix buffer over-read in MWI body parser
authorRoberto Paleari <r.paleari@reply.it>
Wed, 29 Apr 2026 12:18:31 +0000 (14:18 +0200)
committerGeorge Joseph <gtjoseph@users.noreply.github.com>
Thu, 25 Jun 2026 14:21:09 +0000 (08:21 -0600)
Add constraint checks to prevent unauthenticated users from crashing Asterisk
instance by sending a crafted inbound SIP NOTIFY request with "Content-Type:
application/simple-message-summary".

Resolves: #GHSA-8jw3-ccr9-xrmf

res/res_pjsip_pubsub.c

index 1545acc4756257245b840c6581387756eceecce6..1852a5f8776e35583325857a8783dd3e68c881c1 100644 (file)
@@ -3902,6 +3902,7 @@ static pj_bool_t pubsub_on_rx_mwi_notify_request(pjsip_rx_data *rdata)
        char *context;
        char *body;
        char *mailbox;
+       int body_len;
        int rc;
 
        endpoint = ast_pjsip_rdata_get_endpoint(rdata);
@@ -3934,9 +3935,16 @@ static pj_bool_t pubsub_on_rx_mwi_notify_request(pjsip_rx_data *rdata)
        context = atsign + 1;
 
        body = ast_alloca(rdata->msg_info.msg->body->len + 1);
-       rdata->msg_info.msg->body->print_body(rdata->msg_info.msg->body, body,
+       body_len = rdata->msg_info.msg->body->print_body(rdata->msg_info.msg->body, body,
                rdata->msg_info.msg->body->len + 1);
 
+       if (body_len < 0 || body_len > rdata->msg_info.msg->body->len) {
+               ast_debug(1, "Incoming MWI: Endpoint: '%s' Unable to print request body\n", endpoint_name);
+               rc = 404;
+               goto error;
+       }
+       body[body_len] = '\0';
+
        if (parse_simple_message_summary(body, &summary) != 0) {
                ast_debug(1, "Incoming MWI: Endpoint: '%s' There was an issue getting message info from body '%s'\n",
                        ast_sorcery_object_get_id(endpoint), body);