Commit 1039bed76f for asterisk.org

commit 1039bed76fa3248f58b6880e4b3f1421ef98b01f
Author: Roberto Paleari <r.paleari@reply.it>
Date:   Wed Apr 29 14:18:31 2026 +0200

    res/res_pjsip_pubsub.c: Fix buffer over-read in MWI body parser

    Add constraint checks to prevent unauthenticated users from crashing Asterisk
    instance by sending a crafted inbound SIP NOTIFY request with "Content-Type:
    application/simple-message-summary".

    Resolves: #GHSA-8jw3-ccr9-xrmf

diff --git a/res/res_pjsip_pubsub.c b/res/res_pjsip_pubsub.c
index 1545acc475..1852a5f877 100644
--- a/res/res_pjsip_pubsub.c
+++ b/res/res_pjsip_pubsub.c
@@ -3902,6 +3902,7 @@ static pj_bool_t pubsub_on_rx_mwi_notify_request(pjsip_rx_data *rdata)
 	char *context;
 	char *body;
 	char *mailbox;
+	int body_len;
 	int rc;

 	endpoint = ast_pjsip_rdata_get_endpoint(rdata);
@@ -3934,9 +3935,16 @@ static pj_bool_t pubsub_on_rx_mwi_notify_request(pjsip_rx_data *rdata)
 	context = atsign + 1;

 	body = ast_alloca(rdata->msg_info.msg->body->len + 1);
-	rdata->msg_info.msg->body->print_body(rdata->msg_info.msg->body, body,
+	body_len = rdata->msg_info.msg->body->print_body(rdata->msg_info.msg->body, body,
 		rdata->msg_info.msg->body->len + 1);

+	if (body_len < 0 || body_len > rdata->msg_info.msg->body->len) {
+		ast_debug(1, "Incoming MWI: Endpoint: '%s' Unable to print request body\n", endpoint_name);
+		rc = 404;
+		goto error;
+	}
+	body[body_len] = '\0';
+
 	if (parse_simple_message_summary(body, &summary) != 0) {
 		ast_debug(1, "Incoming MWI: Endpoint: '%s' There was an issue getting message info from body '%s'\n",
 			ast_sorcery_object_get_id(endpoint), body);