Commit 12072a559f for asterisk.org

commit 12072a559f592736a44dd9fbe1594e84714edfb4
Author: Milan Kyselica <mil.kyselica@gmail.com>
Date:   Thu Mar 26 15:48:28 2026 +0100

    res_xmpp: Fix stack buffer overflow in namespace prefix handling

    The snprintf size parameter in xmpp_action_hook() is computed from
    the attacker-controlled namespace prefix length and is not bounded
    by the 256-byte stack buffer size. When a remote XMPP peer sends a
    stanza with a child element whose namespace prefix exceeds 249
    characters, snprintf writes past the buffer boundary.

    Use sizeof(attr) as the snprintf size limit and %.*s precision to
    extract only the prefix portion of the element name, preserving
    the original truncation behavior for valid inputs.

    Resolves: #GHSA-mxgm-8c6f-5p8f

diff --git a/res/res_xmpp.c b/res/res_xmpp.c
index 44eeed2e62..8396dbe26c 100644
--- a/res/res_xmpp.c
+++ b/res/res_xmpp.c
@@ -3612,8 +3612,9 @@ static int xmpp_action_hook(void *data, int type, iks *node)
 		char *node_ns = NULL;
 		char attr[XMPP_MAX_ATTRLEN];
 		char *node_name = iks_name(iks_child(node));
-		char *aux = strchr(node_name, ':') + 1;
-		snprintf(attr, strlen("xmlns:") + (strlen(node_name) - strlen(aux)), "xmlns:%s", node_name);
+		char *colon = strchr(node_name, ':');
+		snprintf(attr, sizeof(attr), "xmlns:%.*s",
+			(int)(colon - node_name), node_name);
 		node_ns = iks_find_attrib(iks_child(node), attr);
 		if (node_ns) {
 			pak->ns = node_ns;