When parse the request packet in function handleRequestBytes, the code don't check the content-length, and use it in memmove. Finally cause the buff overflow.
unsigned requestSize = (fLastCRLF+4-fRequestBuffer) + contentLength;
numBytesRemaining = fRequestBytesAlreadySeen - requestSize;
resetRequestBuffer(); // to prepare for any subsequent requestif (numBytesRemaining > 0) {
memmove(fRequestBuffer, &fRequestBuffer[requestSize], numBytesRemaining);
newBytesRead = numBytesRemaining;
}
There is a content-length check, but it only assigns parseSucceeded to false.
This can't avoid the memmove.
Boolean parseSucceeded = parseRTSPRequestString((char*)fRequestBuffer, fLastCRLF+2 - fRequestBuffer,
cmdName, sizeof cmdName,
urlPreSuffix, sizeof urlPreSuffix,
urlSuffix, sizeof urlSuffix,
cseq, sizeof cseq,
sessionIdStr, sizeof sessionIdStr,
contentLength);
fLastCRLF[2] = '\r'; // restore its value// Check first for a bogus "Content-Length" value that would cause a pointer wraparound:if (tmpPtr + 2 + contentLength < tmpPtr + 2) {
#ifdef DEBUG
fprintf(stderr, "parseRTSPRequestString() returned a bogus \"Content-Length:\" value: 0x%x (%d)\n", contentLength, (int)contentLength);
#endif
parseSucceeded = False;
}
When parse the request packet in function handleRequestBytes, the code don't check the
content-length, and use it in memmove. Finally cause the buff overflow.There is a
content-lengthcheck, but it only assignsparseSucceededto false.This can't avoid the
memmove.I can make the server crash with a simple packet.
The text was updated successfully, but these errors were encountered: