Merge pull request #793 from micmac1/ast-18.5.1-21.02

[feed/telephony.git] / libs / pjproject / patches / 0201-potential-stack-buffer-overflow-when-parsing-message-as-a-STUN-client.patch

diff --git a/libs/pjproject/patches/0201-potential-stack-buffer-overflow-when-parsing-message-as-a-STUN-client.patch b/libs/pjproject/patches/0201-potential-stack-buffer-overflow-when-parsing-message-as-a-STUN-client.patch
new file mode 100644 (file)
index 0000000..d66b773
--- /dev/null
+++ b/libs/pjproject/patches/0201-potential-stack-buffer-overflow-when-parsing-message-as-a-STUN-client.patch
@@ -0,0 +1,39 @@
+From 450baca94f475345542c6953832650c390889202 Mon Sep 17 00:00:00 2001
+From: sauwming <ming@teluu.com>
+Date: Tue, 7 Jun 2022 12:00:13 +0800
+Subject: [PATCH] Merge pull request from GHSA-26j7-ww69-c4qj
+
+---
+ pjlib-util/src/pjlib-util/stun_simple.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/pjlib-util/src/pjlib-util/stun_simple.c
++++ b/pjlib-util/src/pjlib-util/stun_simple.c
+@@ -54,6 +54,7 @@ PJ_DEF(pj_status_t) pjstun_parse_msg( vo
+ {
+     pj_uint16_t msg_type, msg_len;
+     char *p_attr;
++    int attr_max_cnt = PJ_ARRAY_SIZE(msg->attr);
+ 
+     PJ_CHECK_STACK();
+ 
+@@ -83,7 +84,7 @@ PJ_DEF(pj_status_t) pjstun_parse_msg( vo
+     msg->attr_count = 0;
+     p_attr = (char*)buf + sizeof(pjstun_msg_hdr);
+ 
+-    while (msg_len > 0) {
++    while (msg_len > 0 && msg->attr_count < attr_max_cnt) {
+       pjstun_attr_hdr **attr = &msg->attr[msg->attr_count];
+       pj_uint32_t len;
+       pj_uint16_t attr_type;
+@@ -111,6 +112,10 @@ PJ_DEF(pj_status_t) pjstun_parse_msg( vo
+       p_attr += len;
+       ++msg->attr_count;
+     }
++    if (msg->attr_count == attr_max_cnt) {
++      PJ_LOG(4, (THIS_FILE, "Warning: max number attribute %d reached.",
++                 attr_max_cnt));
++    }
+ 
+     return PJ_SUCCESS;
+ }