Commit 03ea74c0 authored by Philipp Schafft's avatar Philipp Schafft 🦁

Fix: Worked around buffer overflows in URL auth's cURL interface

This is only a workaround that keeps compatibility with 2.4.x mainline.
A real fix has been implemented in 2.5.x (master).
parent e49086aa
......@@ -141,34 +141,52 @@ static int my_getpass(void *client, char *prompt, char *buffer, int buflen)
static size_t handle_returned_header (void *ptr, size_t size, size_t nmemb, void *stream)
{
auth_client *auth_user = stream;
size_t bytes = size * nmemb;
size_t len = size * nmemb;
client_t *client = auth_user->client;
if (client)
{
if (client) {
auth_t *auth = client->auth;
auth_url *url = auth->state;
if (strncasecmp (ptr, url->auth_header, url->auth_header_len) == 0)
if (url->auth_header && len >= url->auth_header_len && strncasecmp(ptr, url->auth_header, url->auth_header_len) == 0)
client->authenticated = 1;
if (strncasecmp (ptr, url->timelimit_header, url->timelimit_header_len) == 0)
{
if (url->timelimit_header && len > url->timelimit_header_len && strncasecmp(ptr, url->timelimit_header, url->timelimit_header_len) == 0) {
const char *input = ptr;
unsigned int limit = 0;
sscanf ((char *)ptr+url->timelimit_header_len, "%u\r\n", &limit);
client->con->discon_time = time(NULL) + limit;
if (len >= 2 && input[len - 2] == '\r' && input[len - 1] == '\n') {
input += url->timelimit_header_len;
if (sscanf(input, "%u\r\n", &limit) == 1) {
client->con->discon_time = time(NULL) + limit;
} else {
ICECAST_LOG_ERROR("Auth backend returned invalid timeline header: Can not parse limit");
}
} else {
ICECAST_LOG_ERROR("Auth backend returned invalid timelimit header.");
}
}
if (strncasecmp (ptr, "icecast-auth-message: ", 22) == 0)
{
char *eol;
snprintf (url->errormsg, sizeof (url->errormsg), "%s", (char*)ptr+22);
eol = strchr (url->errormsg, '\r');
if (eol == NULL)
eol = strchr (url->errormsg, '\n');
if (eol)
*eol = '\0';
if (len > 24 && strncasecmp(ptr, "icecast-auth-message: ", 22) == 0) {
const char *input = ptr;
size_t copy_len = len - 24 + 1; /* length of string plus \0-termination */
if (copy_len > sizeof(url->errormsg)) {
copy_len = sizeof(url->errormsg);
}
if (len >= 2 && input[len - 2] == '\r' && input[len - 1] == '\n') {
input += 22;
memcpy(url->errormsg, input, copy_len);
url->errormsg[copy_len-1] = 0;
} else {
ICECAST_LOG_ERROR("Auth backend returned invalid message header.");
}
}
}
return bytes;
return len;
}
/* capture returned data, but don't do anything with it */
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment