1 From f672277509705c4034bc92a141eefee4524d15aa Mon Sep 17 00:00:00 2001
2 From: Tobias Ronge <tobiasr@axis.com>
3 Date: Thu, 14 Mar 2019 10:12:27 +0100
4 Subject: [PATCH] gstrtspconnection: Security loophole making heap overflow
6 The former code allowed an attacker to create a heap overflow by
7 sending a longer than allowed session id in a response and including a
8 semicolon to change the maximum length. With this change, the parser
9 will never go beyond 512 bytes.
11 Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
13 gst-libs/gst/rtsp/gstrtspconnection.c | 2 +-
14 1 file changed, 1 insertion(+), 1 deletion(-)
16 diff --git a/gst-libs/gst/rtsp/gstrtspconnection.c b/gst-libs/gst/rtsp/gstrtspconnection.c
17 index a6755bedd..c0429064a 100644
18 --- a/gst-libs/gst/rtsp/gstrtspconnection.c
19 +++ b/gst-libs/gst/rtsp/gstrtspconnection.c
20 @@ -2461,7 +2461,7 @@ build_next (GstRTSPBuilder * builder, GstRTSPMessage * message,
21 maxlen = sizeof (conn->session_id) - 1;
22 /* the sessionid can have attributes marked with ;
23 * Make sure we strip them */
24 - for (i = 0; session_id[i] != '\0'; i++) {
25 + for (i = 0; i < maxlen && session_id[i] != '\0'; i++) {
26 if (session_id[i] == ';') {
projects / buildroot.git / blob