]> git.ipfire.org Git - thirdparty/asterisk.git/commitdiff
res_pjsip_pubsub: Add width limit to sscanf in MWI NOTIFY parser
authorMilan Kyselica <mil.kyselica@gmail.com>
Tue, 24 Mar 2026 18:22:02 +0000 (19:22 +0100)
committerGeorge Joseph <gtjoseph@users.noreply.github.com>
Thu, 25 Jun 2026 14:21:09 +0000 (08:21 -0600)
The parse_simple_message_summary() function uses sscanf with an
unbounded %s format specifier to parse the Message-Account field
from incoming SIP NOTIFY bodies into a fixed-size 512-byte stack
buffer (PJSIP_MAX_URL_SIZE). A single unauthenticated SIP NOTIFY
with a Message-Account value exceeding 512 bytes overflows the
buffer, corrupting adjacent stack data and permanently disabling
the PJSIP transport layer without crashing the process.

Add a width specifier (%511s) to limit the sscanf write to
PJSIP_MAX_URL_SIZE - 1 bytes plus the NUL terminator, matching
the destination buffer size.

Resolves: #GHSA-589g-qgf8-m6mx

res/res_pjsip_pubsub.c

index 644b54238fdcb13cb81076a215b091d46d178db7..1545acc4756257245b840c6581387756eceecce6 100644 (file)
@@ -3886,7 +3886,7 @@ static int parse_simple_message_summary(char *body,
                        &summary->voice_messages_urgent_new, &summary->voice_messages_urgent_old)) {
                        found_counts = 1;
                } else {
-                       sscanf(line, "message-account: %s", summary->message_account);
+                       sscanf(line, "message-account: %511s", summary->message_account);
                }
        }