[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[GNUnet-SVN] [gnurl] 28/73: RTSP: avoid integer overflow on funny RTSP r
From: |
gnunet |
Subject: |
[GNUnet-SVN] [gnurl] 28/73: RTSP: avoid integer overflow on funny RTSP response |
Date: |
Tue, 24 Oct 2017 18:54:09 +0200 |
This is an automated email from the git hooks/post-receive script.
ng0 pushed a commit to branch master
in repository gnurl.
commit 232dffcf2422baefa66617fdae2fb20085a8e386
Author: Daniel Stenberg <address@hidden>
AuthorDate: Sun Oct 8 17:15:44 2017 +0200
RTSP: avoid integer overflow on funny RTSP response
... like a very large non-existing RTSP version number.
Added test 577 to verify.
Detected by OSS-fuzz.
Closes #1969
---
lib/http.c | 6 ++++--
tests/data/Makefile.inc | 2 +-
tests/data/test577 | 55 +++++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 60 insertions(+), 3 deletions(-)
diff --git a/lib/http.c b/lib/http.c
index 38227eb6c..b3978af42 100644
--- a/lib/http.c
+++ b/lib/http.c
@@ -3387,12 +3387,14 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy
*data,
}
}
else if(conn->handler->protocol & CURLPROTO_RTSP) {
+ char separator;
nc = sscanf(HEADER1,
- " RTSP/%d.%d %3d",
+ " RTSP/%1d.%1d%c%3d",
&rtspversion_major,
&conn->rtspversion,
+ &separator,
&k->httpcode);
- if(nc == 3) {
+ if((nc == 4) && (' ' == separator)) {
conn->rtspversion += 10 * rtspversion_major;
conn->httpversion = 11; /* For us, RTSP acts like HTTP 1.1 */
}
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
index 74fdc37fa..caf7314de 100644
--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
@@ -70,7 +70,7 @@ test536 test537 test538 test539 test540 test541 test542
test543 test544 \
test545 test546 test547 test548 test549 test550 test551 test552 test553 \
test554 test555 test556 test557 test558 test559 test560 test561 test562 \
test563 test564 test565 test566 test567 test568 test569 test570 test571 \
-test572 test573 test574 test575 test576 test578 test579 test580 \
+test572 test573 test574 test575 test576 test577 test578 test579 test580 \
test581 test582 test583 test584 test585 test586 test587 test588 test589 \
test590 test591 test592 test593 test594 test595 test596 test597 test598 \
test599 test600 test601 test602 test603 test604 test605 test606 test607 \
diff --git a/tests/data/test577 b/tests/data/test577
new file mode 100644
index 000000000..525549264
--- /dev/null
+++ b/tests/data/test577
@@ -0,0 +1,55 @@
+<testcase>
+
+#Informational
+<info>
+<keywords>
+RTSP
+OPTIONS
+</keywords>
+</info>
+
+# Server-side
+<reply>
+<data>
+RTSP/1.1234567 200 OK
+Server: RTSPD/libcurl-test
+CSeq: 1
+Public: DESCRIBE, OPTIONS, SETUP, TEARDOWN, PLAY, PAUSE
+Curl-Private: swsclose
+</data>
+<datacheck>
+</datacheck>
+</reply>
+
+# Client-Side
+<client>
+<server>
+rtsp
+</server>
+<tool>
+lib567
+</tool>
+
+<name>
+Funny RTSP version in response
+</name>
+<command>
+rtsp://%HOSTIP:%RTSPPORT/577
+</command>
+</client>
+
+<verify>
+<protocol>
+OPTIONS rtsp://%HOSTIP:%RTSPPORT/577 RTSP/1.0
+CSeq: 1
+User-Agent: test567
+Test-Number: 567
+
+</protocol>
+# 8 == CURLE_WEIRD_SERVER_REPLY
+<errorcode>
+8
+</errorcode>
+</verify>
+
+</testcase>
--
To stop receiving notification emails like this one, please contact
address@hidden
- [GNUnet-SVN] [gnurl] 16/73: multi_done: wait for name resolve to finish if still ongoing, (continued)
- [GNUnet-SVN] [gnurl] 16/73: multi_done: wait for name resolve to finish if still ongoing, gnunet, 2017/10/24
- [GNUnet-SVN] [gnurl] 06/73: docs: fix typo in curl_mime_data_cb man page, gnunet, 2017/10/24
- [GNUnet-SVN] [gnurl] 11/73: strtoofft: Remove extraneous null check, gnunet, 2017/10/24
- [GNUnet-SVN] [gnurl] 19/73: docs: clarify form/mime usage of non-regular data files., gnunet, 2017/10/24
- [GNUnet-SVN] [gnurl] 66/73: test653: check reuse of easy handle after mime data change, gnunet, 2017/10/24
- [GNUnet-SVN] [gnurl] 62/73: vtls: change struct Curl_ssl `close' field name to `close_one'., gnunet, 2017/10/24
- [GNUnet-SVN] [gnurl] 57/73: setopt: range check most long options, gnunet, 2017/10/24
- [GNUnet-SVN] [gnurl] 60/73: test652: curl_mime_data + base64 encoder with large contents, gnunet, 2017/10/24
- [GNUnet-SVN] [gnurl] 23/73: mime: improve unbinding top multipart from easy handle., gnunet, 2017/10/24
- [GNUnet-SVN] [gnurl] 13/73: vtls: fix warnings with --disable-crypto-auth, gnunet, 2017/10/24
- [GNUnet-SVN] [gnurl] 28/73: RTSP: avoid integer overflow on funny RTSP response,
gnunet <=
- [GNUnet-SVN] [gnurl] 18/73: Revert "multi_done: wait for name resolve to finish if still ongoing", gnunet, 2017/10/24
- [GNUnet-SVN] [gnurl] 37/73: smtp_done: free data before returning (on send failure), gnunet, 2017/10/24
- [GNUnet-SVN] [gnurl] 21/73: curlver.h: next expected release is 7.57.0, gnunet, 2017/10/24
- [GNUnet-SVN] [gnurl] 27/73: ftpserver: properly reset $ftptargetdir., gnunet, 2017/10/24
- [GNUnet-SVN] [gnurl] 36/73: FTP: URL decode path for dir listing in nocwd mode, gnunet, 2017/10/24
- [GNUnet-SVN] [gnurl] 31/73: openssl: enable PKCS12 support for !BoringSSL, gnunet, 2017/10/24
- [GNUnet-SVN] [gnurl] 40/73: openssl: don't use old BORINGSSL_YYYYMM macros, gnunet, 2017/10/24
- [GNUnet-SVN] [gnurl] 41/73: url: Update current connection SSL verify params in setopt, gnunet, 2017/10/24
- [GNUnet-SVN] [gnurl] 29/73: mime: properly unbind mime structure in curl_mime_free()., gnunet, 2017/10/24
- [GNUnet-SVN] [gnurl] 32/73: FAQ: s/CURLOPT_PROGRESSFUNCTION/CURLOPT_XFERINFOFUNCTION, gnunet, 2017/10/24