Commit 548e7963 authored by Philipp Schafft's avatar Philipp Schafft 🦁

Fix: Fixed bufferoverflow within url_add_client()

This can be trigged by:
* overly long username,
* overly long password,
* overly long user agent string,
* overly long path.
parent 081a7974
...@@ -343,6 +343,7 @@ static auth_result url_remove_client(auth_client *auth_user) ...@@ -343,6 +343,7 @@ static auth_result url_remove_client(auth_client *auth_user)
const char *agent; const char *agent;
char *user_agent, char *user_agent,
*ipaddr; *ipaddr;
int ret;
if (url->removeurl == NULL) if (url->removeurl == NULL)
return AUTH_OK; return AUTH_OK;
...@@ -378,7 +379,7 @@ static auth_result url_remove_client(auth_client *auth_user) ...@@ -378,7 +379,7 @@ static auth_result url_remove_client(auth_client *auth_user)
mount = util_url_escape(mountreq); mount = util_url_escape(mountreq);
ipaddr = util_url_escape(client->con->ip); ipaddr = util_url_escape(client->con->ip);
snprintf(post, sizeof (post), ret = snprintf(post, sizeof(post),
"action=%s&server=%s&port=%d&client=%lu&mount=%s" "action=%s&server=%s&port=%d&client=%lu&mount=%s"
"&user=%s&pass=%s&duration=%lu&ip=%s&agent=%s", "&user=%s&pass=%s&duration=%lu&ip=%s&agent=%s",
url->removeaction, /* already escaped */ url->removeaction, /* already escaped */
...@@ -392,6 +393,12 @@ static auth_result url_remove_client(auth_client *auth_user) ...@@ -392,6 +393,12 @@ static auth_result url_remove_client(auth_client *auth_user)
free(ipaddr); free(ipaddr);
free(user_agent); free(user_agent);
if (ret <= 0 || ret >= (ssize_t)sizeof(post)) {
ICECAST_LOG_ERROR("Authentication failed for client %p as header POST data is too long.", client);
auth_user_url_clear(auth_user);
return AUTH_FAILED;
}
if (strchr (url->removeurl, '@') == NULL) { if (strchr (url->removeurl, '@') == NULL) {
if (url->userpwd) { if (url->userpwd) {
curl_easy_setopt(url->handle, CURLOPT_USERPWD, url->userpwd); curl_easy_setopt(url->handle, CURLOPT_USERPWD, url->userpwd);
...@@ -499,6 +506,13 @@ static auth_result url_add_client(auth_client *auth_user) ...@@ -499,6 +506,13 @@ static auth_result url_add_client(auth_client *auth_user)
free(password); free(password);
free(ipaddr); free(ipaddr);
if (post_offset <= 0 || post_offset >= (ssize_t)sizeof(post)) {
ICECAST_LOG_ERROR("Authentication failed for client %p as header POST data is too long.", client);
auth_user_url_clear(auth_user);
return AUTH_FAILED;
}
pass_headers = NULL; pass_headers = NULL;
if (url->pass_headers) if (url->pass_headers)
pass_headers = strdup(url->pass_headers); pass_headers = strdup(url->pass_headers);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment