gstrtspconnection: Security loophole making heap overflow

The former code allowed an attacker to create a heap overflow by sending a longer than allowed session id in a response and including a semicolon to change the maximum length. With this change, the parser will never go beyond 512 bytes.

gstrtspconnection: Security loophole making heap overflow
The former code allowed an attacker to create a heap overflow by sending a longer than allowed session id in a response and including a semicolon to change the maximum length. With this change, the parser will never go beyond 512 bytes.
9ff50195 · Tobias Ronge · Tim-Philipp Müller · 85c9b767 · 9ff50195
Commit 9ff50195 authored Mar 14, 2019 by Tobias Ronge Committed by Tim-Philipp Müller May 01, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

gst-libs/gst/rtsp/gstrtspconnection.c gst-libs/gst/rtsp/gstrtspconnection.c +1 -1

No files found.
--- a/gst-libs/gst/rtsp/gstrtspconnection.c
+++ b/gst-libs/gst/rtsp/gstrtspconnection.c
@@ -2132,7 +2132,7 @@ build_next (GstRTSPBuilder * builder, GstRTSPMessage * message,
          maxlen = sizeof (conn->session_id) - 1;
          /* the sessionid can have attributes marked with ;
           * Make sure we strip them */
-          for (i = 0; session_id[i] != '\0'; i++) {
+          for (i = 0; i < maxlen && session_id[i] != '\0'; i++) {
            if (session_id[i] == ';') {
              maxlen = i;
              /* parse timeout */