The parse_simple_message_summary() function uses sscanf with an
unbounded %s format specifier to parse the Message-Account field
from incoming SIP NOTIFY bodies into a fixed-size 512-byte stack
buffer (PJSIP_MAX_URL_SIZE). A single unauthenticated SIP NOTIFY
with a Message-Account value exceeding 512 bytes overflows the
buffer, corrupting adjacent stack data and permanently disabling
the PJSIP transport layer without crashing the process.
Add a width specifier (%511s) to limit the sscanf write to
PJSIP_MAX_URL_SIZE - 1 bytes plus the NUL terminator, matching
the destination buffer size.
Resolves: #GHSA-589g-qgf8-m6mx
&summary->voice_messages_urgent_new, &summary->voice_messages_urgent_old)) {
found_counts = 1;
} else {
- sscanf(line, "message-account: %s", summary->message_account);
+ sscanf(line, "message-account: %511s", summary->message_account);
}
}