Headline
CVE-2021-43303: Build software better, together
Buffer overflow in PJSUA API when calling pjsua_call_dump. An attacker-controlled ‘buffer’ argument may cause a buffer overflow, since supplying an output buffer smaller than 128 characters may overflow the output buffer, regardless of the ‘maxlen’ argument supplied
Buffers used in PJSIP typically have limited sizes, especially the ones allocated in the stack or supplied by the application, however in several places, we do not check if our usage can exceed the sizes.
Impact
This could cause buffer overflow and impact applications who use the following APIs:
- pjsua_player_create(filename, …)
- pjsua_recorder_create(filename, …)
- pjmedia_wav_playlist_create(…, file_list, …)
In all the above APIs, issues could arise if applications supply filenames longer than the internal buffers’ sizes. Specific for pjsua_recorder_create(), out-of-bounds read can also happen if app supplies a small filename (shorter than 4 chars).
The issue also affects applications that call:
- pjsua_call_dump(…, buffer, maxlen)
and supply buffer that is too short.
Patches
The patch is available as commit d979253 in the master branch.
Workarounds
A workaround is for the applications to check the parameters’ length (i.e. the filenames and the buffer) before calling the above APIs.
Credits
Thanks to Uriya Yavnieli of the JFrog Security research team for the report.
For more information
If you have any questions or comments about this advisory:
Email us at [email protected]