Skip to content

RTSP: avoid integer overflow on funny RTSP response #1969

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

RTSP: avoid integer overflow on funny RTSP response #1969

wants to merge 1 commit into from

Conversation

@bagder
Copy link
Member

@bagder bagder commented Oct 8, 2017

... like a very large non-existing RTSP version number.

Added test 577 to verify.

Detected by OSS-fuzz.

cmeister2
cmeister2 reviewed Oct 8, 2017
View reviewed changes
lib/http.c Outdated
Copy link
Contributor

@cmeister2 cmeister2 Oct 8, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this still going to match? If all fields match, isn't sscanf going to return 4 instead?

Copy link
Member Author

@bagder bagder Oct 8, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sscanf() is a bit tricky to use for this matching. It doesn't really care about the spaces in the match string so an input like 1.1234567 200 (ie an illegal string) will match %1d.%d %3d and store 1, 1 and 234 and return 3. I don't think we want that.

So with %1d.%d %3d %d I want the above input to store 1,1,234, 567 and return 4, which isn't and shouldn't be a match.

While explaining this I think the case where the input says 1.1 200 200 reasons to be fine is also going to not match while it is a fine input. The second "200" just happens to be part of the string...

I'll improve the logic.

tests/data/test577 Outdated
Copy link
Contributor

@cmeister2 cmeister2 Oct 8, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Your sscanf has wall coming from %d. Is "OK" going to be matched by %d?

@bagder
RTSP: avoid integer overflow on funny RTSP response
6df6367 
... like a very large non-existing RTSP version number.

Added test 577 to verify.

Detected by OSS-fuzz.
@bagder bagder force-pushed the bagder/rtsp-integer-overflow branch from b73b4d3 to 6df6367 Compare October 8, 2017 15:51
@bagder bagder closed this in 232dffc Oct 8, 2017
@bagder bagder deleted the bagder/rtsp-integer-overflow branch October 8, 2017 22:42
@lock lock bot locked as resolved and limited conversation to collaborators Jan 18, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@cmeister2 cmeister2 cmeister2 left review comments

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bagder @cmeister2