Bug#697230: asterisk: Two security issues: AST-2012-014 / AST-2012-015
Tzafrir Cohen
tzafrir.cohen at xorcom.com
Mon Jan 14 16:03:37 UTC 2013
On Mon, Jan 14, 2013 at 04:02:22PM +0100, Javier Serrano Polo wrote:
> AST-2012-014: b/channels/chan_sip.c
>
> @@ -3078,7 +3079,7 @@ static void *_sip_tcp_helper_thread(stru
> req.socket.fd = tcptls_session->fd;
>
> /* Read in headers one line at a time */
> - while (req.len < 4 || strncmp(REQ_OFFSET_TO_STR(&req, len - 4), "\r\n\r\n", 4)) {
> + while ((req.len <= SIP_MAX_PACKET_SIZE) || (req.len < 4 || strncmp(REQ_OFFSET_TO_STR(&req, len - 4), "\r\n\r\n", 4))) {
> if (!tcptls_session->client && !authenticated ) {
> if ((timeout = sip_check_authtimeout(start)) < 0) {
> goto cleanup;
>
> Are you sure? That size hint condition should be ANDed.
You're right.
--
Tzafrir Cohen
icq#16849755 jabber:tzafrir.cohen at xorcom.com
+972-50-7952406 mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com iax:guest at local.xorcom.com/tzafrir
More information about the Pkg-voip-maintainers
mailing list