Permalink
Browse files

Fixed Issue #147: Segfaults on ShairPort version 0.05 C port

When requesting resend of packets a lot, iOS sometimes sends a packet with type 0x56 (Reply to resend request), but with sequence number 0 and length == 4. This short length leads to memory corruption later on when processing the packet: alac_decode() expects at least 16 bytes for AES IV. Therefore the segfault.

This fix ignores packets with length < 16, as seen in another implementation here:
http://fossies.org/dox/mythtv-0.25.1/mythraopconnection_8cpp_source.html#l00555

Please be aware that this just fixes the segfault. The suspicious packet seems to be an information of an out of sync situation, so it may deserve further attention.

Signed-off-by: Gregor Fabritius <gre@g0r.de>
  • Loading branch information...
1 parent f1fd87f commit c4ec84d3981468d4c5c5c144ea4fba916202016c @grefab grefab committed Jul 15, 2012
Showing with 10 additions and 1 deletion.
  1. +10 −1 hairtunes.c
View
@@ -445,7 +445,16 @@ static void *rtp_thread_func(void *arg) {
plen -= 4;
}
seqno = ntohs(*(unsigned short *)(pktp+2));
- buffer_put_packet(seqno, pktp+12, plen-12);
+
+ // adjust pointer and length
+ pktp += 12;
+ plen -= 12;
+
+ // check if packet contains enough content to be reasonable
+ if (plen < 16)
+ continue;
+
+ buffer_put_packet(seqno, pktp, plen);
}
}

0 comments on commit c4ec84d

Please sign in to comment.