New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RTSP: avoid integer overflow on funny RTSP response #1969

Closed
wants to merge 1 commit into
base: master
from

Conversation

Projects
None yet
2 participants
@bagder
Member

bagder commented Oct 8, 2017

... like a very large non-existing RTSP version number.

Added test 577 to verify.

Detected by OSS-fuzz.

lib/http.c Outdated
&rtspversion_major,
&conn->rtspversion,
&k->httpcode);
&k->httpcode, &wall);
if(nc == 3) {

This comment has been minimized.

@cmeister2

cmeister2 Oct 8, 2017

Contributor

Is this still going to match? If all fields match, isn't sscanf going to return 4 instead?

This comment has been minimized.

@bagder

bagder Oct 8, 2017

Member

sscanf() is a bit tricky to use for this matching. It doesn't really care about the spaces in the match string so an input like 1.1234567 200 (ie an illegal string) will match %1d.%d %3d and store 1, 1 and 234 and return 3. I don't think we want that.

So with %1d.%d %3d %d I want the above input to store 1,1,234, 567 and return 4, which isn't and shouldn't be a match.

While explaining this I think the case where the input says 1.1 200 200 reasons to be fine is also going to not match while it is a fine input. The second "200" just happens to be part of the string...

I'll improve the logic.

# Server-side
<reply>
<data>
RTSP/1.1234567 200 OK

This comment has been minimized.

@cmeister2

cmeister2 Oct 8, 2017

Contributor

Your sscanf has wall coming from %d. Is "OK" going to be matched by %d?

RTSP: avoid integer overflow on funny RTSP response
... like a very large non-existing RTSP version number.

Added test 577 to verify.

Detected by OSS-fuzz.

@bagder bagder force-pushed the bagder/rtsp-integer-overflow branch from b73b4d3 to 6df6367 Oct 8, 2017

@bagder bagder closed this in 232dffc Oct 8, 2017

@bagder bagder deleted the bagder/rtsp-integer-overflow branch Oct 8, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment