RTSP: avoid integer overflow on funny RTSP response #1969

Closed
wants to merge 1 commit into
from

Conversation

Projects
None yet
2 participants
Owner

bagder commented Oct 8, 2017

... like a very large non-existing RTSP version number.

Added test 577 to verify.

Detected by OSS-fuzz.

lib/http.c
&rtspversion_major,
&conn->rtspversion,
- &k->httpcode);
+ &k->httpcode, &wall);
if(nc == 3) {
@cmeister2

cmeister2 Oct 8, 2017

Contributor

Is this still going to match? If all fields match, isn't sscanf going to return 4 instead?

@bagder

bagder Oct 8, 2017

Owner

sscanf() is a bit tricky to use for this matching. It doesn't really care about the spaces in the match string so an input like 1.1234567 200 (ie an illegal string) will match %1d.%d %3d and store 1, 1 and 234 and return 3. I don't think we want that.

So with %1d.%d %3d %d I want the above input to store 1,1,234, 567 and return 4, which isn't and shouldn't be a match.

While explaining this I think the case where the input says 1.1 200 200 reasons to be fine is also going to not match while it is a fine input. The second "200" just happens to be part of the string...

I'll improve the logic.

+# Server-side
+<reply>
+<data>
+RTSP/1.1234567 200 OK
@cmeister2

cmeister2 Oct 8, 2017

Contributor

Your sscanf has wall coming from %d. Is "OK" going to be matched by %d?

RTSP: avoid integer overflow on funny RTSP response
... like a very large non-existing RTSP version number.

Added test 577 to verify.

Detected by OSS-fuzz.

@bagder bagder closed this in 232dffc Oct 8, 2017

@bagder bagder deleted the bagder/rtsp-integer-overflow branch Oct 8, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment