diff options
Diffstat (limited to 'pkgs/applications/networking/pjsip/1.12.1-CVE-2022-23547.patch')
-rw-r--r-- | pkgs/applications/networking/pjsip/1.12.1-CVE-2022-23547.patch | 41 |
1 files changed, 41 insertions, 0 deletions
diff --git a/pkgs/applications/networking/pjsip/1.12.1-CVE-2022-23547.patch b/pkgs/applications/networking/pjsip/1.12.1-CVE-2022-23547.patch new file mode 100644 index 000000000000..8f7646822585 --- /dev/null +++ b/pkgs/applications/networking/pjsip/1.12.1-CVE-2022-23547.patch @@ -0,0 +1,41 @@ +Based on upstream bc4812d31a67d5e2f973fbfaf950d6118226cf36 with +whitespace changes to allow it to apply to 1.12.1 + +diff --git a/pjnath/src/pjnath/stun_msg.c b/pjnath/src/pjnath/stun_msg.c +index 18b70cc22..b6a6b3528 100644 +--- a/pjnath/src/pjnath/stun_msg.c ++++ b/pjnath/src/pjnath/stun_msg.c +@@ -1439,12 +1439,12 @@ static pj_status_t decode_uint_attr(pj_pool_t *pool, + attr = PJ_POOL_ZALLOC_T(pool, pj_stun_uint_attr); + GETATTRHDR(buf, &attr->hdr); + +- attr->value = GETVAL32H(buf, 4); +- + /* Check that the attribute length is valid */ + if (attr->hdr.length != 4) + return PJNATH_ESTUNINATTRLEN; + ++ attr->value = GETVAL32H(buf, 4); ++ + /* Done */ + *p_attr = attr; + +@@ -1758,14 +1758,15 @@ static pj_status_t decode_errcode_attr(pj_pool_t *pool, + attr = PJ_POOL_ZALLOC_T(pool, pj_stun_errcode_attr); + GETATTRHDR(buf, &attr->hdr); + ++ /* Check that the attribute length is valid */ ++ if (attr->hdr.length < 4) ++ return PJNATH_ESTUNINATTRLEN; ++ + attr->err_code = buf[6] * 100 + buf[7]; + + /* Get pointer to the string in the message */ + value.ptr = ((char*)buf + ATTR_HDR_LEN + 4); + value.slen = attr->hdr.length - 4; +- /* Make sure the length is never negative */ +- if (value.slen < 0) +- value.slen = 0; + + /* Copy the string to the attribute */ + pj_strdup(pool, &attr->reason, &value); |