Commit 7a1ffcdf38 for asterisk.org

commit 7a1ffcdf38cc76d1c4eae51651667f3fd4548ab0
Author: Milan Kyselica <mil.kyselica@gmail.com>
Date:   Tue Mar 24 19:22:02 2026 +0100

    res_pjsip_pubsub: Add width limit to sscanf in MWI NOTIFY parser

    The parse_simple_message_summary() function uses sscanf with an
    unbounded %s format specifier to parse the Message-Account field
    from incoming SIP NOTIFY bodies into a fixed-size 512-byte stack
    buffer (PJSIP_MAX_URL_SIZE). A single unauthenticated SIP NOTIFY
    with a Message-Account value exceeding 512 bytes overflows the
    buffer, corrupting adjacent stack data and permanently disabling
    the PJSIP transport layer without crashing the process.

    Add a width specifier (%511s) to limit the sscanf write to
    PJSIP_MAX_URL_SIZE - 1 bytes plus the NUL terminator, matching
    the destination buffer size.

    Resolves: #GHSA-589g-qgf8-m6mx

diff --git a/res/res_pjsip_pubsub.c b/res/res_pjsip_pubsub.c
index 644b54238f..1545acc475 100644
--- a/res/res_pjsip_pubsub.c
+++ b/res/res_pjsip_pubsub.c
@@ -3886,7 +3886,7 @@ static int parse_simple_message_summary(char *body,
 			&summary->voice_messages_urgent_new, &summary->voice_messages_urgent_old)) {
 			found_counts = 1;
 		} else {
-			sscanf(line, "message-account: %s", summary->message_account);
+			sscanf(line, "message-account: %511s", summary->message_account);
 		}
 	}