From: Milan Kyselica Date: Tue, 24 Mar 2026 18:22:02 +0000 (+0100) Subject: res_pjsip_pubsub: Add width limit to sscanf in MWI NOTIFY parser X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=7a1ffcdf38cc76d1c4eae51651667f3fd4548ab0;p=thirdparty%2Fasterisk.git res_pjsip_pubsub: Add width limit to sscanf in MWI NOTIFY parser The parse_simple_message_summary() function uses sscanf with an unbounded %s format specifier to parse the Message-Account field from incoming SIP NOTIFY bodies into a fixed-size 512-byte stack buffer (PJSIP_MAX_URL_SIZE). A single unauthenticated SIP NOTIFY with a Message-Account value exceeding 512 bytes overflows the buffer, corrupting adjacent stack data and permanently disabling the PJSIP transport layer without crashing the process. Add a width specifier (%511s) to limit the sscanf write to PJSIP_MAX_URL_SIZE - 1 bytes plus the NUL terminator, matching the destination buffer size. Resolves: #GHSA-589g-qgf8-m6mx --- diff --git a/res/res_pjsip_pubsub.c b/res/res_pjsip_pubsub.c index 644b54238f..1545acc475 100644 --- a/res/res_pjsip_pubsub.c +++ b/res/res_pjsip_pubsub.c @@ -3886,7 +3886,7 @@ static int parse_simple_message_summary(char *body, &summary->voice_messages_urgent_new, &summary->voice_messages_urgent_old)) { found_counts = 1; } else { - sscanf(line, "message-account: %s", summary->message_account); + sscanf(line, "message-account: %511s", summary->message_account); } }