Bug#697230: asterisk: Two security issues: AST-2012-014 / AST-2012-015

[Javier Serrano Polo]

AST-2012-014: b/channels/chan_sip.c

@@ -3078,7 +3079,7 @@ static void *_sip_tcp_helper_thread(stru
                        req.socket.fd = tcptls_session->fd;
 
                        /* Read in headers one line at a time */
-                       while (req.len < 4 || strncmp(REQ_OFFSET_TO_STR(&req, 
len - 4), "\r\n\r\n", 4)) {
+                       while ((req.len <= SIP_MAX_PACKET_SIZE) || (req.len < 4 
|| strncmp(REQ_OFFSET_TO_STR(&req, len - 4), "\r\n\r\n", 4))) {
                                if (!tcptls_session->client && !authenticated ) 
{
                                        if ((timeout = 
sip_check_authtimeout(start)) < 0) {
                                                goto cleanup;

Are you sure? That size hint condition should be ANDed.

smime.p7s
Description: S/MIME cryptographic signature