From: Roberto Paleari Date: Wed, 29 Apr 2026 12:18:31 +0000 (+0200) Subject: res/res_pjsip_pubsub.c: Fix buffer over-read in MWI body parser X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1039bed76fa3248f58b6880e4b3f1421ef98b01f;p=thirdparty%2Fasterisk.git res/res_pjsip_pubsub.c: Fix buffer over-read in MWI body parser Add constraint checks to prevent unauthenticated users from crashing Asterisk instance by sending a crafted inbound SIP NOTIFY request with "Content-Type: application/simple-message-summary". Resolves: #GHSA-8jw3-ccr9-xrmf --- diff --git a/res/res_pjsip_pubsub.c b/res/res_pjsip_pubsub.c index 1545acc475..1852a5f877 100644 --- a/res/res_pjsip_pubsub.c +++ b/res/res_pjsip_pubsub.c @@ -3902,6 +3902,7 @@ static pj_bool_t pubsub_on_rx_mwi_notify_request(pjsip_rx_data *rdata) char *context; char *body; char *mailbox; + int body_len; int rc; endpoint = ast_pjsip_rdata_get_endpoint(rdata); @@ -3934,9 +3935,16 @@ static pj_bool_t pubsub_on_rx_mwi_notify_request(pjsip_rx_data *rdata) context = atsign + 1; body = ast_alloca(rdata->msg_info.msg->body->len + 1); - rdata->msg_info.msg->body->print_body(rdata->msg_info.msg->body, body, + body_len = rdata->msg_info.msg->body->print_body(rdata->msg_info.msg->body, body, rdata->msg_info.msg->body->len + 1); + if (body_len < 0 || body_len > rdata->msg_info.msg->body->len) { + ast_debug(1, "Incoming MWI: Endpoint: '%s' Unable to print request body\n", endpoint_name); + rc = 404; + goto error; + } + body[body_len] = '\0'; + if (parse_simple_message_summary(body, &summary) != 0) { ast_debug(1, "Incoming MWI: Endpoint: '%s' There was an issue getting message info from body '%s'\n", ast_sorcery_object_get_id(endpoint), body);