Ticket #2016 (closed defect: fixed)

Opened 5 months ago

Last modified 5 months ago

Buffer overrun in PJSIP transaction layer

Reported by: ming Owned by: bennylp
Priority: normal Milestone: release-2.7
Component: pjsip Version: trunk
Keywords: Cc:
Backport to 1.x milestone: Backported: no

Description (last modified by ming) (diff)

A crash can happen if PJSIP receives a message with a specific CSeq header and a Via header with no branch parameter. The issue is that the PJSIP RFC 2543 transaction key generation algorithm does not allocate a large enough buffer. By overrunning the buffer, the memory allocation table becomes corrupted, leading to an eventual crash.

Thanks to George Joseph and Asterisk team for the report.

Change History

comment:1 Changed 5 months ago by ming

  • Status changed from new to closed
  • Resolution set to fixed

In 5593:

Fixed #2016: Buffer overrun in PJSIP transaction layer

comment:2 Changed 5 months ago by ming

  • Description modified (diff)
Note: See TracTickets for help on using tickets.