Ticket #5030: libs_libmythlivemedia_cve-2007-6036.patch

File libs_libmythlivemedia_cve-2007-6036.patch, 2.8 KB (added by Erik Hovland <erik@…>, 12 years ago)

backport of the DoS fix from liveMedia 2008-02-08 tarball

  • libs/libmythlivemedia/liveMedia/RTSPClient.cpp

    This patch should cover the fixes needed to prevent against a denial of
    
    From: Erik Hovland <erik@hovland.org>
    
    service attack that was discovered by Luigi Auriemma. The gist of the fix
    was to make sure that unsigned values were being properly checked.
    ---
    
     libs/libmythlivemedia/liveMedia/RTSPClient.cpp |    4 ++--
     libs/libmythlivemedia/liveMedia/RTSPCommon.cpp |    6 +++---
     2 files changed, 5 insertions(+), 5 deletions(-)
    
    diff --git a/libs/libmythlivemedia/liveMedia/RTSPClient.cpp b/libs/libmythlivemedia/liveMedia/RTSPClient.cpp
    index 45eceed..46619b0 100644
    a b unsigned RTSPClient::getResponse1(char*& responseBuffer, 
    21242124  Boolean haveSeenNonCRLF = False;
    21252125  int bytesRead = 1; // because we've already read the first byte
    21262126  while (bytesRead < (int)responseBufferSize) {
    2127     unsigned bytesReadNow
     2127    int bytesReadNow
    21282128      = readSocket(envir(), fInputSocketNum,
    21292129                   (unsigned char*)(responseBuffer+bytesRead),
    21302130                   1, fromAddress);
    2131     if (bytesReadNow == 0) {
     2131    if (bytesReadNow <= 0) {
    21322132      envir().setResultMsg("RTSP response was truncated");
    21332133      break;
    21342134    }
  • libs/libmythlivemedia/liveMedia/RTSPCommon.cpp

    diff --git a/libs/libmythlivemedia/liveMedia/RTSPCommon.cpp b/libs/libmythlivemedia/liveMedia/RTSPCommon.cpp
    index 95cede7..0b3734f 100644
    a b Boolean parseRTSPRequestString(char const* reqStr, 
    5050  // Skip over the prefix of any "rtsp://" or "rtsp:/" URL that follows:
    5151  unsigned j = i+1;
    5252  while (j < reqStrSize && (reqStr[j] == ' ' || reqStr[j] == '\t')) ++j; // skip over any additional white space
    53   for (j = i+1; j < reqStrSize-8; ++j) {
     53  for (j = i+1; (int)j < (int)(reqStrSize-8); ++j) {
    5454    if ((reqStr[j] == 'r' || reqStr[j] == 'R')
    5555        && (reqStr[j+1] == 't' || reqStr[j+1] == 'T')
    5656        && (reqStr[j+2] == 's' || reqStr[j+2] == 'S')
    Boolean parseRTSPRequestString(char const* reqStr, 
    7272
    7373  // Look for the URL suffix (before the following "RTSP/"):
    7474  parseSucceeded = False;
    75   for (unsigned k = i+1; k < reqStrSize-5; ++k) {
     75  for (unsigned k = i+1; (int)k < (int)(reqStrSize-5); ++k) {
    7676    if (reqStr[k] == 'R' && reqStr[k+1] == 'T' &&
    7777        reqStr[k+2] == 'S' && reqStr[k+3] == 'P' && reqStr[k+4] == '/') {
    7878      while (--k >= i && reqStr[k] == ' ') {} // go back over all spaces before "RTSP/"
    Boolean parseRTSPRequestString(char const* reqStr, 
    107107  // Look for "CSeq:", skip whitespace,
    108108  // then read everything up to the next \r or \n as 'CSeq':
    109109  parseSucceeded = False;
    110   for (j = i; j < reqStrSize-5; ++j) {
     110  for (j = i; (int)j < (int)(reqStrSize-5); ++j) {
    111111    if (reqStr[j] == 'C' && reqStr[j+1] == 'S' && reqStr[j+2] == 'e' &&
    112112        reqStr[j+3] == 'q' && reqStr[j+4] == ':') {
    113113      j += 5;