In the lastest version of live555, there is a memory leak issue.
The attacker can make the server crash with this issue.
when parse the setup packet with many username fileds, the value of username will be duplicated many times at [1].
The pointers of username value can't be freed ever, except for the last one.
The fileds realmnonceuriresponse have the same problem.
staticBooleanparseAuthorizationHeader(charconst* buf,
charconst*& username,
charconst*& realm,
charconst*& nonce, charconst*& uri,
charconst*& response) {
// Initialize the result parameters to default values:
username = realm = nonce = uri = response = NULL;
// First, find "Authorization:"while (1) {
if (*buf == '\0') return False; // not foundif (_strncasecmp(buf, "Authorization: Digest ", 22) == 0) break;
++buf;
}
// Then, run through each of the fields, looking for ones we handle:charconst* fields = buf + 22;
while (*fields == '') ++fields;
char* parameter = strDupSize(fields);
char* value = strDupSize(fields);
while (1) {
value[0] = '\0';
if (sscanf(fields, "%[^=]=\"%[^\"]\"", parameter, value) != 2 &&
sscanf(fields, "%[^=]=\"\"", parameter) != 1) {
break;
}
if (strcmp(parameter, "username") == 0) {
username = strDup(value); //[1]
} elseif (strcmp(parameter, "realm") == 0) {
realm = strDup(value);
} elseif (strcmp(parameter, "nonce") == 0) {
nonce = strDup(value);
} elseif (strcmp(parameter, "uri") == 0) {
uri = strDup(value);
} elseif (strcmp(parameter, "response") == 0) {
response = strDup(value);
}
fields += strlen(parameter) + 2/*="*/ + strlen(value) + 1/*"*/;
while (*fields == ',' || *fields == '') ++fields;
// skip over any separating ',' and ' ' charsif (*fields == '\0' || *fields == '\r' || *fields == '\n') break;
}
delete[] parameter; delete[] value;
return True;
}
The text was updated successfully, but these errors were encountered:
In the lastest version of live555, there is a memory leak issue.
The attacker can make the server crash with this issue.
when parse the
setuppacket with manyusernamefileds, the value of username will be duplicated many times at [1].The pointers of username value can't be freed ever, except for the last one.
The fileds
realmnonceuriresponsehave the same problem.The text was updated successfully, but these errors were encountered: