Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RTSP: avoid integer overflow on funny RTSP response #1969

Closed
wants to merge 1 commit into from

Conversation

bagder
Copy link
Member

@bagder bagder commented Oct 8, 2017

... like a very large non-existing RTSP version number.

Added test 577 to verify.

Detected by OSS-fuzz.

lib/http.c Outdated
&rtspversion_major,
&conn->rtspversion,
&k->httpcode);
&k->httpcode, &wall);
if(nc == 3) {
Copy link
Contributor

@cmeister2 cmeister2 Oct 8, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this still going to match? If all fields match, isn't sscanf going to return 4 instead?

Copy link
Member Author

@bagder bagder Oct 8, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sscanf() is a bit tricky to use for this matching. It doesn't really care about the spaces in the match string so an input like 1.1234567 200 (ie an illegal string) will match %1d.%d %3d and store 1, 1 and 234 and return 3. I don't think we want that.

So with %1d.%d %3d %d I want the above input to store 1,1,234, 567 and return 4, which isn't and shouldn't be a match.

While explaining this I think the case where the input says 1.1 200 200 reasons to be fine is also going to not match while it is a fine input. The second "200" just happens to be part of the string...

I'll improve the logic.

# Server-side
<reply>
<data>
RTSP/1.1234567 200 OK
Copy link
Contributor

@cmeister2 cmeister2 Oct 8, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Your sscanf has wall coming from %d. Is "OK" going to be matched by %d?

... like a very large non-existing RTSP version number.

Added test 577 to verify.

Detected by OSS-fuzz.
@bagder bagder force-pushed the bagder/rtsp-integer-overflow branch from b73b4d3 to 6df6367 Compare Oct 8, 2017
@bagder bagder deleted the bagder/rtsp-integer-overflow branch Oct 8, 2017
@lock lock bot locked as resolved and limited conversation to collaborators Jan 18, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants