[Server-cvs] protocol/rtsp rtspprot.cpp,1.80,1.81
asrivastava at helixcommunity.org asrivastava at helixcommunity.orgUpdate of /cvsroot/server/protocol/rtsp
In directory cvs01.internal.helixcommunity.org:/tmp/cvs-serv26336
Modified Files:
rtspprot.cpp
Log Message:
Synopsis
========
Bug 187123: ES: Security Vulnerability from SecurityFocus (BugTraq 21141)
Branches: SERVER_11_1_RN ,HEAD
Suggested Reviewer: Darrick
Description
===========
The python script ( attached in Attachments section) sends a describe request to the server which contains
LoadTestPassword as a
string of 5000 characters encoded in base 64 which doesn't contain a newline character in the end, the server crashes.
Solutions Found:
==============
the method RegisterPlayerOptions in rtspprot.cpp tries to set the buffersize to the return value of BinFrom64.
BinFrom64 returns the length of the buffer in the case of success or -1 in the case of failure.
The SetSize is being called without checking the failure case.
The setsize is called with -1 Which takes an Unsigned int as a parameter so the size becomes a huge value.
Afterwards this size is incremented for the final memory allocation causing an overflow for the Unsigned int
and it becomes a small positive integer after the roll over .
so the allocated buffer is small and the data to be copied is huge which causes memory corruption and makes the server
crash.
Fix:
===============
We are now checking for the return value and we are calling SetSize only in the case of success.
Files Affected
==============
server\protocol\rtsp\rtspprot.cpp
Testing Performed
=================
Unit Tests:
- Used the python script to send the same Describe request as in Repro and Server works fine after the fix. and no crash
is observed.
Integration Tests:
- None
Leak Tests:
- None.
Performance Tests:
- None
Build verified: Helix 11.1.2GA on win32-i386-vc7, Sun Solaris 10
QA Hints
===============
Please Run the attached script in the Attachments section for the bug and verify that it doesn't crash the server.
Index: rtspprot.cpp
===================================================================
RCS file: /cvsroot/server/protocol/rtsp/rtspprot.cpp,v
retrieving revision 1.80
retrieving revision 1.81
diff -u -d -r1.80 -r1.81
--- rtspprot.cpp 21 Dec 2006 19:04:55 -0000 1.80
+++ rtspprot.cpp 31 Jan 2007 12:09:39 -0000 1.81
@@ -2253,20 +2253,24 @@
{
IHXBuffer* pBuffer = new ServerBuffer(TRUE);
pBuffer->SetSize(pValue->GetSize()); // Overkill
- pBuffer->SetSize(BinFrom64((const char*)pValue->GetBuffer(),
- pValue->GetSize(), (unsigned char*)pBuffer->GetBuffer()));
-#ifndef PERF_NOCLIENTREG
- if (client()->use_registry_for_stats())
+ INT32 length = BinFrom64((const char*)pValue->GetBuffer(),
+ pValue->GetSize(), (unsigned char*)pBuffer->GetBuffer());
+ if (length > 0)
{
- sprintf(szProp, "client.%ld.LoadTestPassword", ulRegistryConnId);
- pRegistry->AddBuf(szProp, pBuffer, pProc);
- }
+ pBuffer->SetSize(length);
+
+#ifndef PERF_NOCLIENTREG
+ if (client()->use_registry_for_stats())
+ {
+ sprintf(szProp, "client.%ld.LoadTestPassword", ulRegistryConnId);
+ pRegistry->AddBuf(szProp, pBuffer, pProc);
+ }
#endif /* ndef PERF_NOCLIENTREG */
- if (!client()->m_bIsAProxy)
- {
- client()->get_client_stats()->SetLoadTestPassword(pBuffer);
+ if (!client()->m_bIsAProxy)
+ {
+ client()->get_client_stats()->SetLoadTestPassword(pBuffer);
+ }
}
-
HX_RELEASE(pValue);
HX_RELEASE(pBuffer);
}