Commit 548e7963 authored by Philipp Schafft's avatar Philipp Schafft

Fix: Fixed bufferoverflow within url_add_client()

This can be trigged by:
* overly long username,
* overly long password,
* overly long user agent string,
* overly long path.
parent 081a7974
......@@ -343,6 +343,7 @@ static auth_result url_remove_client(auth_client *auth_user)
const char *agent;
char *user_agent,
*ipaddr;
int ret;
if (url->removeurl == NULL)
return AUTH_OK;
......@@ -378,7 +379,7 @@ static auth_result url_remove_client(auth_client *auth_user)
mount = util_url_escape(mountreq);
ipaddr = util_url_escape(client->con->ip);
snprintf(post, sizeof (post),
ret = snprintf(post, sizeof(post),
"action=%s&server=%s&port=%d&client=%lu&mount=%s"
"&user=%s&pass=%s&duration=%lu&ip=%s&agent=%s",
url->removeaction, /* already escaped */
......@@ -392,6 +393,12 @@ static auth_result url_remove_client(auth_client *auth_user)
free(ipaddr);
free(user_agent);
if (ret <= 0 || ret >= (ssize_t)sizeof(post)) {
ICECAST_LOG_ERROR("Authentication failed for client %p as header POST data is too long.", client);
auth_user_url_clear(auth_user);
return AUTH_FAILED;
}
if (strchr (url->removeurl, '@') == NULL) {
if (url->userpwd) {
curl_easy_setopt(url->handle, CURLOPT_USERPWD, url->userpwd);
......@@ -499,6 +506,13 @@ static auth_result url_add_client(auth_client *auth_user)
free(password);
free(ipaddr);
if (post_offset <= 0 || post_offset >= (ssize_t)sizeof(post)) {
ICECAST_LOG_ERROR("Authentication failed for client %p as header POST data is too long.", client);
auth_user_url_clear(auth_user);
return AUTH_FAILED;
}
pass_headers = NULL;
if (url->pass_headers)
pass_headers = strdup(url->pass_headers);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment