diff options
author | Tobias Ronge <tobiasr@axis.com> | 2019-03-14 10:12:27 +0100 |
---|---|---|
committer | Tim-Philipp Müller <tim@centricular.com> | 2019-05-01 17:53:35 +0100 |
commit | 9ff501951e8a776661aeeb8bb6b9758476f6a6de (patch) | |
tree | 5d8225d9eaac3db018f559e5c139685dc1825508 | |
parent | 85c9b7670839801c766a9d1432a5bbc40abcb718 (diff) | |
download | gstreamer-plugins-base-9ff501951e8a776661aeeb8bb6b9758476f6a6de.tar.gz |
gstrtspconnection: Security loophole making heap overflow
The former code allowed an attacker to create a heap overflow by
sending a longer than allowed session id in a response and including a
semicolon to change the maximum length. With this change, the parser
will never go beyond 512 bytes.
-rw-r--r-- | gst-libs/gst/rtsp/gstrtspconnection.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/gst-libs/gst/rtsp/gstrtspconnection.c b/gst-libs/gst/rtsp/gstrtspconnection.c index 02b192cf4..a2c6a4ca6 100644 --- a/gst-libs/gst/rtsp/gstrtspconnection.c +++ b/gst-libs/gst/rtsp/gstrtspconnection.c @@ -2132,7 +2132,7 @@ build_next (GstRTSPBuilder * builder, GstRTSPMessage * message, maxlen = sizeof (conn->session_id) - 1; /* the sessionid can have attributes marked with ; * Make sure we strip them */ - for (i = 0; session_id[i] != '\0'; i++) { + for (i = 0; i < maxlen && session_id[i] != '\0'; i++) { if (session_id[i] == ';') { maxlen = i; /* parse timeout */ |