Buffer overflow in PJSUA leads to denial of service when invoking
pjsua_call_dump with malicious input.
PJLIB (, 2.1.11], fixed in 2.12
CVE-2021-43303 is a buffer overflow vulnerability in
pjsua_call_dump - a function that dumps call statistics to a given buffer:
Attackers that can remotely control the size of the
buffer argument of
pjsua_call_dump may cause a denial of service (specifically, the allocated buffer size needs to be smaller than 128 bytes).
The function uses the
tmp variable in order to store the statistics temporarily and then copies it to the output argument
buffer without validating that
maxlen is at most
len (which can be up to 128).
This can lead to a buffer overflow if the capacity of the given buffer parameter is smaller than
No PoC is supplied for this vulnerability.
No mitigations are provided for this vulnerability.
In order to fully fix this vulnerability, we recommend upgrading PJSIP to version 2.12.