Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
What's new
7
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
Open sidebar
Xiph.Org
Icecast-Server
Commits
b21a7283
Commit
b21a7283
authored
Oct 27, 2018
by
Philipp Schafft
🦁
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Fix: Fixed buffer overflows in URL auth code.
See:
#2342
parent
efbcaaba
Changes
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
55 additions
and
13 deletions
+55
-13
src/auth_url.c
src/auth_url.c
+55
-13
No files found.
src/auth_url.c
View file @
b21a7283
...
...
@@ -191,6 +191,7 @@ static auth_result url_remove_listener (auth_client *auth_user)
char
*
userpwd
=
NULL
,
post
[
4096
];
const
char
*
agent
;
char
*
user_agent
,
*
ipaddr
;
int
ret
;
if
(
url
->
removeurl
==
NULL
)
return
AUTH_OK
;
...
...
@@ -223,11 +224,11 @@ static auth_result url_remove_listener (auth_client *auth_user)
mount
=
util_url_escape
(
mountreq
);
ipaddr
=
util_url_escape
(
client
->
con
->
ip
);
snprintf
(
post
,
sizeof
(
post
),
"action=listener_remove&server=%s&port=%d&client=%lu&mount=%s"
"&user=%s&pass=%s&duration=%lu&ip=%s&agent=%s"
,
server
,
port
,
client
->
con
->
id
,
mount
,
username
,
password
,
(
long
unsigned
)
duration
,
ipaddr
,
user_agent
);
ret
=
snprintf
(
post
,
sizeof
(
post
),
"action=listener_remove&server=%s&port=%d&client=%lu&mount=%s"
"&user=%s&pass=%s&duration=%lu&ip=%s&agent=%s"
,
server
,
port
,
client
->
con
->
id
,
mount
,
username
,
password
,
(
long
unsigned
)
duration
,
ipaddr
,
user_agent
);
free
(
server
);
free
(
mount
);
free
(
username
);
...
...
@@ -235,6 +236,11 @@ static auth_result url_remove_listener (auth_client *auth_user)
free
(
ipaddr
);
free
(
user_agent
);
if
(
ret
<=
0
||
ret
>=
sizeof
(
post
))
{
ICECAST_LOG_ERROR
(
"POST body too long for buffer on mount point
\"
%H
\"
client %p."
,
auth_user
->
mount
,
client
);
return
AUTH_FAILED
;
}
if
(
strchr
(
url
->
removeurl
,
'@'
)
==
NULL
)
{
if
(
url
->
userpwd
)
...
...
@@ -331,6 +337,11 @@ static auth_result url_add_listener (auth_client *auth_user)
free
(
password
);
free
(
ipaddr
);
if
(
post_offset
<=
0
||
post_offset
>=
sizeof
(
post
))
{
ICECAST_LOG_ERROR
(
"POST body too long for buffer on mount point
\"
%H
\"
client %p."
,
auth_user
->
mount
,
client
);
return
AUTH_FAILED
;
}
pass_headers
=
NULL
;
if
(
url
->
pass_headers
)
pass_headers
=
strdup
(
url
->
pass_headers
);
...
...
@@ -349,11 +360,21 @@ static auth_result url_add_listener (auth_client *auth_user)
header_val
=
httpp_getvar
(
client
->
parser
,
cur_header
);
if
(
header_val
)
{
size_t
left
=
sizeof
(
post
)
-
post_offset
;
int
ret
;
header_valesc
=
util_url_escape
(
header_val
);
post_offs
et
+
=
snprintf
(
post
+
post_offset
,
sizeof
(
post
)
-
post_offse
t
,
"&%s%s=%s"
,
r
et
=
snprintf
(
post
+
post_offset
,
lef
t
,
"&%s%s=%s"
,
url
->
prefix_headers
?
url
->
prefix_headers
:
""
,
cur_header
,
header_valesc
);
free
(
header_valesc
);
if
(
ret
<=
0
||
ret
>=
left
)
{
ICECAST_LOG_ERROR
(
"POST body too long for buffer on mount point
\"
%H
\"
client %p."
,
auth_user
->
mount
,
client
);
free
(
pass_headers
);
return
AUTH_FAILED
;
}
else
{
post_offset
+=
ret
;
}
}
cur_header
=
next_header
;
...
...
@@ -418,6 +439,7 @@ static void url_stream_start (auth_client *auth_user)
char
*
stream_start_url
;
int
port
;
char
post
[
4096
];
int
ret
;
if
(
url
->
stream_start
==
NULL
)
{
...
...
@@ -433,11 +455,17 @@ static void url_stream_start (auth_client *auth_user)
config_release_config
();
mount
=
util_url_escape
(
auth_user
->
mount
);
snprintf
(
post
,
sizeof
(
post
),
"action=mount_add&mount=%s&server=%s&port=%d"
,
mount
,
server
,
port
);
ret
=
snprintf
(
post
,
sizeof
(
post
),
"action=mount_add&mount=%s&server=%s&port=%d"
,
mount
,
server
,
port
);
free
(
server
);
free
(
mount
);
if
(
ret
<=
0
||
ret
>=
sizeof
(
post
))
{
ICECAST_LOG_ERROR
(
"POST body too long for buffer on mount point
\"
%H
\"
."
,
auth_user
->
mount
);
auth_release
(
auth
);
free
(
stream_start_url
);
return
;
}
if
(
strchr
(
url
->
stream_start
,
'@'
)
==
NULL
)
{
if
(
url
->
userpwd
)
...
...
@@ -470,6 +498,7 @@ static void url_stream_end (auth_client *auth_user)
char
*
stream_end_url
;
int
port
;
char
post
[
4096
];
int
ret
;
if
(
url
->
stream_end
==
NULL
)
{
...
...
@@ -485,11 +514,17 @@ static void url_stream_end (auth_client *auth_user)
config_release_config
();
mount
=
util_url_escape
(
auth_user
->
mount
);
snprintf
(
post
,
sizeof
(
post
),
"action=mount_remove&mount=%s&server=%s&port=%d"
,
mount
,
server
,
port
);
ret
=
snprintf
(
post
,
sizeof
(
post
),
"action=mount_remove&mount=%s&server=%s&port=%d"
,
mount
,
server
,
port
);
free
(
server
);
free
(
mount
);
if
(
ret
<=
0
||
ret
>=
sizeof
(
post
))
{
ICECAST_LOG_ERROR
(
"POST body too long for buffer on mount point
\"
%H
\"
."
,
auth_user
->
mount
);
auth_release
(
auth
);
free
(
stream_end_url
);
return
;
}
if
(
strchr
(
url
->
stream_end
,
'@'
)
==
NULL
)
{
if
(
url
->
userpwd
)
...
...
@@ -519,6 +554,7 @@ static void url_stream_auth (auth_client *auth_user)
auth_url
*
url
=
client
->
auth
->
state
;
char
*
mount
,
*
host
,
*
user
,
*
pass
,
*
ipaddr
,
*
admin
=
""
;
char
post
[
4096
];
int
ret
;
if
(
strchr
(
url
->
stream_auth
,
'@'
)
==
NULL
)
{
...
...
@@ -553,9 +589,9 @@ static void url_stream_auth (auth_client *auth_user)
pass
=
strdup
(
""
);
}
snprintf
(
post
,
sizeof
(
post
),
"action=stream_auth&mount=%s&ip=%s&server=%s&port=%d&user=%s&pass=%s%s"
,
mount
,
ipaddr
,
host
,
port
,
user
,
pass
,
admin
);
ret
=
snprintf
(
post
,
sizeof
(
post
),
"action=stream_auth&mount=%s&ip=%s&server=%s&port=%d&user=%s&pass=%s%s"
,
mount
,
ipaddr
,
host
,
port
,
user
,
pass
,
admin
);
free
(
ipaddr
);
free
(
user
);
free
(
pass
);
...
...
@@ -563,6 +599,12 @@ static void url_stream_auth (auth_client *auth_user)
free
(
host
);
client
->
authenticated
=
0
;
if
(
ret
<=
0
||
ret
>=
sizeof
(
post
))
{
ICECAST_LOG_ERROR
(
"POST body too long for buffer on mount point
\"
%H
\"
client %p."
,
auth_user
->
mount
,
client
);
return
;
}
if
(
curl_easy_perform
(
url
->
handle
))
ICECAST_LOG_WARN
(
"auth to server %s failed with %s"
,
url
->
stream_auth
,
url
->
errormsg
);
}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment