Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
Icecast-Server
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
94
Issues
94
List
Boards
Labels
Service Desk
Milestones
Merge Requests
1
Merge Requests
1
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Operations
Operations
Incidents
Environments
Analytics
Analytics
CI / CD
Repository
Value Stream
External Wiki
External Wiki
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Xiph.Org
Icecast-Server
Commits
47cb709b
Commit
47cb709b
authored
Oct 31, 2018
by
Philipp Schafft
🦁
Browse files
Options
Browse Files
Download
Plain Diff
Merge branch 'ph3-fix-bufferoverflow'
See:
#2342
parents
e75b85fe
162e3dd6
Pipeline
#477
failed with stage
in 14 seconds
Changes
2
Pipelines
1
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
48 additions
and
5 deletions
+48
-5
src/auth_url.c
src/auth_url.c
+28
-2
src/format.c
src/format.c
+20
-3
No files found.
src/auth_url.c
View file @
47cb709b
...
...
@@ -343,6 +343,7 @@ static auth_result url_remove_client(auth_client *auth_user)
const
char
*
agent
;
char
*
user_agent
,
*
ipaddr
;
int
ret
;
if
(
url
->
removeurl
==
NULL
)
return
AUTH_OK
;
...
...
@@ -378,7 +379,7 @@ static auth_result url_remove_client(auth_client *auth_user)
mount
=
util_url_escape
(
mountreq
);
ipaddr
=
util_url_escape
(
client
->
con
->
ip
);
snprintf
(
post
,
sizeof
(
post
),
ret
=
snprintf
(
post
,
sizeof
(
post
),
"action=%s&server=%s&port=%d&client=%lu&mount=%s"
"&user=%s&pass=%s&duration=%lu&ip=%s&agent=%s"
,
url
->
removeaction
,
/* already escaped */
...
...
@@ -392,6 +393,12 @@ static auth_result url_remove_client(auth_client *auth_user)
free
(
ipaddr
);
free
(
user_agent
);
if
(
ret
<=
0
||
ret
>=
(
ssize_t
)
sizeof
(
post
))
{
ICECAST_LOG_ERROR
(
"Authentication failed for client %p as header POST data is too long."
,
client
);
auth_user_url_clear
(
auth_user
);
return
AUTH_FAILED
;
}
if
(
strchr
(
url
->
removeurl
,
'@'
)
==
NULL
)
{
if
(
url
->
userpwd
)
{
curl_easy_setopt
(
url
->
handle
,
CURLOPT_USERPWD
,
url
->
userpwd
);
...
...
@@ -499,6 +506,13 @@ static auth_result url_add_client(auth_client *auth_user)
free
(
password
);
free
(
ipaddr
);
if
(
post_offset
<=
0
||
post_offset
>=
(
ssize_t
)
sizeof
(
post
))
{
ICECAST_LOG_ERROR
(
"Authentication failed for client %p as header POST data is too long."
,
client
);
auth_user_url_clear
(
auth_user
);
return
AUTH_FAILED
;
}
pass_headers
=
NULL
;
if
(
url
->
pass_headers
)
pass_headers
=
strdup
(
url
->
pass_headers
);
...
...
@@ -513,13 +527,25 @@ static auth_result url_add_client(auth_client *auth_user)
header_val
=
httpp_getvar
(
client
->
parser
,
cur_header
);
if
(
header_val
)
{
size_t
left
=
sizeof
(
post
)
-
post_offset
;
int
ret
;
header_valesc
=
util_url_escape
(
header_val
);
post_offset
+
=
snprintf
(
post
+
post_offset
,
ret
=
snprintf
(
post
+
post_offset
,
sizeof
(
post
)
-
post_offset
,
"&%s%s=%s"
,
url
->
prefix_headers
?
url
->
prefix_headers
:
""
,
cur_header
,
header_valesc
);
free
(
header_valesc
);
if
(
ret
<=
0
||
(
size_t
)
ret
>=
left
)
{
ICECAST_LOG_ERROR
(
"Authentication failed for client %p as header
\"
%H
\"
is too long."
,
client
,
cur_header
);
free
(
pass_headers
);
auth_user_url_clear
(
auth_user
);
return
AUTH_FAILED
;
}
else
{
post_offset
+=
ret
;
}
}
cur_header
=
next_header
;
...
...
src/format.c
View file @
47cb709b
...
...
@@ -295,7 +295,7 @@ static inline ssize_t __print_var(char *str, size_t remaining, const char *forma
for
(
i
=
0
;
i
<
var
->
values
;
i
++
)
{
ret
=
snprintf
(
str
+
done
,
remaining
-
done
,
format
,
first
,
var
->
value
[
i
]);
if
(
ret
==
-
1
)
if
(
ret
<=
0
||
(
size_t
)
ret
>=
(
remaining
-
done
)
)
return
-
1
;
done
+=
ret
;
...
...
@@ -331,7 +331,7 @@ static int format_prepare_headers (source_t *source, client_t *client)
client
->
respcode
=
200
;
bytes
=
util_http_build_header
(
ptr
,
remaining
,
0
,
0
,
200
,
NULL
,
source
->
format
->
contenttype
,
NULL
,
NULL
,
source
,
client
);
if
(
bytes
<
0
)
{
if
(
bytes
<
=
0
)
{
ICECAST_LOG_ERROR
(
"Dropping client as we can not build response headers."
);
client
->
respcode
=
500
;
return
-
1
;
...
...
@@ -342,7 +342,7 @@ static int format_prepare_headers (source_t *source, client_t *client)
client
->
refbuf
->
data
=
ptr
=
new_ptr
;
client
->
refbuf
->
len
=
remaining
=
bytes
+
1024
;
bytes
=
util_http_build_header
(
ptr
,
remaining
,
0
,
0
,
200
,
NULL
,
source
->
format
->
contenttype
,
NULL
,
NULL
,
source
,
client
);
if
(
bytes
==
-
1
)
{
if
(
bytes
<=
0
||
(
size_t
)
bytes
>=
remaining
)
{
ICECAST_LOG_ERROR
(
"Dropping client as we can not build response headers."
);
client
->
respcode
=
500
;
return
-
1
;
...
...
@@ -354,6 +354,11 @@ static int format_prepare_headers (source_t *source, client_t *client)
}
}
if
(
bytes
<=
0
||
(
size_t
)
bytes
>=
remaining
)
{
ICECAST_LOG_ERROR
(
"Can not allocate headers for client %p"
,
client
);
client
->
respcode
=
500
;
return
-
1
;
}
remaining
-=
bytes
;
ptr
+=
bytes
;
...
...
@@ -421,6 +426,13 @@ static int format_prepare_headers (source_t *source, client_t *client)
}
}
if
(
bytes
<
0
||
(
size_t
)
bytes
>=
remaining
)
{
avl_tree_unlock
(
source
->
parser
->
vars
);
ICECAST_LOG_ERROR
(
"Can not allocate headers for client %p"
,
client
);
client
->
respcode
=
500
;
return
-
1
;
}
remaining
-=
bytes
;
ptr
+=
bytes
;
if
(
next
)
...
...
@@ -429,6 +441,11 @@ static int format_prepare_headers (source_t *source, client_t *client)
avl_tree_unlock
(
source
->
parser
->
vars
);
bytes
=
snprintf
(
ptr
,
remaining
,
"
\r\n
"
);
if
(
bytes
<=
0
||
(
size_t
)
bytes
>=
remaining
)
{
ICECAST_LOG_ERROR
(
"Can not allocate headers for client %p"
,
client
);
client
->
respcode
=
500
;
return
-
1
;
}
remaining
-=
bytes
;
ptr
+=
bytes
;
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment