Buffers used in PJSIP typically have limited sizes, especially the ones allocated in the stack or supplied by the application, however in several places, we do not check if our usage can exceed the sizes.
Impact
This could cause buffer overflow and impact applications who use the following APIs:
- pjsua_player_create(filename, ...)
- pjsua_recorder_create(filename, ...)
- pjmedia_wav_playlist_create(..., file_list, ...)
In all the above APIs, issues could arise if applications supply filenames longer than the internal buffers' sizes. Specific for pjsua_recorder_create(), out-of-bounds read can also happen if app supplies a small filename (shorter than 4 chars).
The issue also affects applications that call:
- pjsua_call_dump(..., buffer, maxlen)
and supply buffer that is too short.
Patches
The patch is available as commit d979253 in the master branch.
The patch fixes CVE-2021-43299 & CVE-2021-43303.
Workarounds
A workaround is for the applications to check the parameters' length (i.e. the filenames and the buffer) before calling the above APIs.
Credits
Thanks to Uriya Yavnieli of the JFrog Security research team for the report.
For more information
If you have any questions or comments about this advisory:
Email us at [email protected]
Buffers used in PJSIP typically have limited sizes, especially the ones allocated in the stack or supplied by the application, however in several places, we do not check if our usage can exceed the sizes.
Impact
This could cause buffer overflow and impact applications who use the following APIs:
In all the above APIs, issues could arise if applications supply filenames longer than the internal buffers' sizes. Specific for
pjsua_recorder_create(), out-of-bounds read can also happen if app supplies a small filename (shorter than 4 chars).The issue also affects applications that call:
and supply buffer that is too short.
Patches
The patch is available as commit d979253 in the master branch.
The patch fixes CVE-2021-43299 & CVE-2021-43303.
Workarounds
A workaround is for the applications to check the parameters' length (i.e. the filenames and the buffer) before calling the above APIs.
Credits
Thanks to Uriya Yavnieli of the JFrog Security research team for the report.
For more information
If you have any questions or comments about this advisory:
Email us at [email protected]