Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#2016 closed defect (fixed)

Buffer overrun in PJSIP transaction layer — at Version 2

Reported by: ming Owned by: bennylp
Priority: normal Milestone: release-2.7
Component: pjsip Version: trunk
Keywords: Cc:
Backport to 1.x milestone: Backported: no

Description (last modified by ming)

A crash can happen if PJSIP receives a message with a specific CSeq header and a Via header with no branch parameter. The issue is that the PJSIP RFC 2543 transaction key generation algorithm does not allocate a large enough buffer. By overrunning the buffer, the memory allocation table becomes corrupted, leading to an eventual crash.

Thanks to George Joseph and Asterisk team for the report.

Change History (2)

comment:1 Changed 7 years ago by ming

  • Resolution set to fixed
  • Status changed from new to closed

In 5593:

Fixed #2016: Buffer overrun in PJSIP transaction layer

comment:2 Changed 7 years ago by ming

  • Description modified (diff)
Note: See TracTickets for help on using tickets.