pkgs/applications/networking/pjsip/1.12.1-CVE-2022-23537.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87

Based on upstream d8440f4d711a654b511f50f79c0445b26f9dd1e1 with
whitespace changes to allow it to apply to 1.12.1

diff --git a/pjnath/include/pjnath/stun_msg.h b/pjnath/include/pjnath/stun_msg.h
index 6b5fc0f21..e8f52db3c 100644
--- a/pjnath/include/pjnath/stun_msg.h
+++ b/pjnath/include/pjnath/stun_msg.h
@@ -443,6 +443,7 @@ typedef enum pj_stun_status
 
    \endverbatim
  */
+#pragma pack(1)
 typedef struct pj_stun_msg_hdr
 {
     /**
@@ -474,6 +475,7 @@ typedef struct pj_stun_msg_hdr
     pj_uint8_t		tsx_id[12];
 
 } pj_stun_msg_hdr;
+#pragma pack()
 
 
 /**
@@ -491,6 +493,7 @@ typedef struct pj_stun_msg_hdr
 
    \endverbatim
  */
+#pragma pack(1)
 typedef struct pj_stun_attr_hdr
 {
     /**
@@ -507,6 +510,7 @@ typedef struct pj_stun_attr_hdr
     pj_uint16_t		length;
 
 } pj_stun_attr_hdr;
+#pragma pack()
 
 
 /**
diff --git a/pjnath/src/pjnath/stun_msg.c b/pjnath/src/pjnath/stun_msg.c
index bd83351e6..18b70cc22 100644
--- a/pjnath/src/pjnath/stun_msg.c
+++ b/pjnath/src/pjnath/stun_msg.c
@@ -746,8 +746,8 @@ PJ_DEF(int) pj_stun_set_padding_char(int chr)
 
 
 #define INIT_ATTR(a,t,l)    (a)->hdr.type=(pj_uint16_t)(t), \
-			    (a)->hdr.length=(pj_uint16_t)(l)
-#define ATTR_HDR_LEN	    4
+                            (a)->hdr.length=(pj_uint16_t)(l)
+#define ATTR_HDR_LEN        sizeof(pj_stun_attr_hdr)
 
 static pj_uint16_t GETVAL16H(const pj_uint8_t *buf, unsigned pos)
 {
@@ -2328,6 +2328,14 @@ PJ_DEF(pj_status_t) pj_stun_msg_decode(pj_pool_t *pool,
 	status = pj_stun_msg_check(pdu, pdu_len, options);
 	if (status != PJ_SUCCESS)
 	    return status;
+    } else {
+        /* For safety, verify packet length at least */
+        pj_uint32_t msg_len = GETVAL16H(pdu, 2) + 20;
+        if (msg_len > pdu_len ||
+            ((options & PJ_STUN_IS_DATAGRAM) && msg_len != pdu_len))
+        {
+            return PJNATH_EINSTUNMSGLEN;
+        }
     }
 
     /* Create the message, copy the header, and convert to host byte order */
@@ -2346,7 +2354,7 @@ PJ_DEF(pj_status_t) pj_stun_msg_decode(pj_pool_t *pool,
 	p_response = NULL;
 
     /* Parse attributes */
-    while (pdu_len >= 4) {
+    while (pdu_len >= ATTR_HDR_LEN) {
 	unsigned attr_type, attr_val_len;
 	const struct attr_desc *adesc;
 
@@ -2358,7 +2366,7 @@ PJ_DEF(pj_status_t) pj_stun_msg_decode(pj_pool_t *pool,
 	attr_val_len = (attr_val_len + 3) & (~3);
 
 	/* Check length */
-	if (pdu_len < attr_val_len) {
+	if (pdu_len < attr_val_len + ATTR_HDR_LEN) {
 	    pj_str_t err_msg;
 	    char err_msg_buf[80];