-
Notifications
You must be signed in to change notification settings - Fork 768
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request from GHSA-7fw8-54cv-r7pm
- Loading branch information
Showing
1 changed file
with
9 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
077b465
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
for this CVE. why we modify pj_scan_get_char. why do not modify the content-type function
077b465
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We were also considering of modifying the SIP multipart input buffer to create a temporary NULL sentinel within the buffer but decided not to. The downside of the approach is that we need exclusive access to the input buffer (which is currently not mentioned in the doc), so any app currently reading/processing the message at the same time will be affected.
077b465
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i review the parse_hdr_content_type( ), i guest "content-type: multipart/mixed; " is a malformed sip message, is right? i am not sure pj_scan_get() is ok or not when "content-type: multipart".(no "/" char)
077b465
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The reported issue was in
parse_multipart_part()
->pjsip_parse_headers()
.If you suspect an issue somewhere else, please open a new PR/issue or send an email to us.