Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Leap:15.2
icecast
icecast-CVE-2018-18820-2.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File icecast-CVE-2018-18820-2.patch of Package icecast
From 03ea74c04a5966114c2fe66e4e6892d11a68181e Mon Sep 17 00:00:00 2001 From: Philipp Schafft <lion@lion.leolix.org> Date: Sun, 28 Oct 2018 10:42:33 +0000 Subject: [PATCH] Fix: Worked around buffer overflows in URL auth's cURL interface This is only a workaround that keeps compatibility with 2.4.x mainline. A real fix has been implemented in 2.5.x (master). --- src/auth_url.c | 54 ++++++++++++++++++++++++++++++++++++------------------ 1 file changed, 36 insertions(+), 18 deletions(-) --- a/src/auth_url.c +++ b/src/auth_url.c @@ -141,34 +141,52 @@ static int my_getpass(void *client, char static size_t handle_returned_header (void *ptr, size_t size, size_t nmemb, void *stream) { auth_client *auth_user = stream; - unsigned bytes = size * nmemb; + size_t len = size * nmemb; client_t *client = auth_user->client; - if (client) - { + if (client) { auth_t *auth = client->auth; auth_url *url = auth->state; - if (strncasecmp (ptr, url->auth_header, url->auth_header_len) == 0) + + if (url->auth_header && len >= url->auth_header_len && strncasecmp(ptr, url->auth_header, url->auth_header_len) == 0) client->authenticated = 1; - if (strncasecmp (ptr, url->timelimit_header, url->timelimit_header_len) == 0) - { + + if (url->timelimit_header && len > url->timelimit_header_len && strncasecmp(ptr, url->timelimit_header, url->timelimit_header_len) == 0) { + const char *input = ptr; unsigned int limit = 0; - sscanf ((char *)ptr+url->timelimit_header_len, "%u\r\n", &limit); - client->con->discon_time = time(NULL) + limit; + + if (len >= 2 && input[len - 2] == '\r' && input[len - 1] == '\n') { + input += url->timelimit_header_len; + + if (sscanf(input, "%u\r\n", &limit) == 1) { + client->con->discon_time = time(NULL) + limit; + } else { + ICECAST_LOG_ERROR("Auth backend returned invalid timeline header: Can not parse limit"); + } + } else { + ICECAST_LOG_ERROR("Auth backend returned invalid timelimit header."); + } } - if (strncasecmp (ptr, "icecast-auth-message: ", 22) == 0) - { - char *eol; - snprintf (url->errormsg, sizeof (url->errormsg), "%s", (char*)ptr+22); - eol = strchr (url->errormsg, '\r'); - if (eol == NULL) - eol = strchr (url->errormsg, '\n'); - if (eol) - *eol = '\0'; + + if (len > 24 && strncasecmp(ptr, "icecast-auth-message: ", 22) == 0) { + const char *input = ptr; + size_t copy_len = len - 24 + 1; /* length of string plus \0-termination */ + + if (copy_len > sizeof(url->errormsg)) { + copy_len = sizeof(url->errormsg); + } + + if (len >= 2 && input[len - 2] == '\r' && input[len - 1] == '\n') { + input += 22; + memcpy(url->errormsg, input, copy_len); + url->errormsg[copy_len-1] = 0; + } else { + ICECAST_LOG_ERROR("Auth backend returned invalid message header."); + } } } - return (int)bytes; + return len; } /* capture returned data, but don't do anything with it */
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor