File icecast-2.3.2-CVE-2011-4612.diff of Package icecast

---
 src/fserve.c |   22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

--- a/src/fserve.c
+++ b/src/fserve.c
@@ -395,6 +395,19 @@ int fserve_client_create (client_t *http
     int xspf_requested = 0, xspf_file_available = 1;
     ice_config_t *config;
     FILE *file;
+    char *filtered_path, *p;
+
+    /* strip \r and \n from path string; it's duplicated, so it must be
+     * freed at return
+     */
+    filtered_path = strdup(path);
+    if (!filtered_path)
+	return -1;
+    for (p = filtered_path; *p; p++) {
+        if (*p == '\r' || *p == '\n')
+	    *p = '_';
+    }
+    path = filtered_path;
 
     fullpath = util_get_path_from_normalised_uri (path);
     INFO2 ("checking for file %s (%s)", path, fullpath);
@@ -414,6 +427,7 @@ int fserve_client_create (client_t *http
             WARN2 ("req for file \"%s\" %s", fullpath, strerror (errno));
             client_send_404 (httpclient, "The file you requested could not be found");
             free (fullpath);
+	    free (filtered_path);
             return -1;
         }
         m3u_file_available = 0;
@@ -462,6 +476,7 @@ int fserve_client_create (client_t *http
         fserve_add_client (httpclient, NULL);
         free (sourceuri);
         free (fullpath);
+	free (filtered_path);
         return 0;
     }
     if (xspf_requested && xspf_file_available == 0)
@@ -475,6 +490,8 @@ int fserve_client_create (client_t *http
         free (reference);
         admin_send_response (doc, httpclient, TRANSFORMED, "xspf.xsl");
         xmlFreeDoc(doc);
+        free (fullpath);
+	free (filtered_path);
         return 0;
     }
 
@@ -486,6 +503,7 @@ int fserve_client_create (client_t *http
         client_send_404 (httpclient, "The file you requested could not be found");
         config_release_config();
         free (fullpath);
+	free (filtered_path);
         return -1;
     }
     config_release_config();
@@ -495,6 +513,7 @@ int fserve_client_create (client_t *http
         client_send_404 (httpclient, "The file you requested could not be found");
         WARN1 ("found requested file but there is no handler for it: %s", fullpath);
         free (fullpath);
+	free (filtered_path);
         return -1;
     }
 
@@ -504,6 +523,7 @@ int fserve_client_create (client_t *http
         WARN1 ("Problem accessing file \"%s\"", fullpath);
         client_send_404 (httpclient, "File not readable");
         free (fullpath);
+	free (filtered_path);
         return -1;
     }
     free (fullpath);
@@ -594,6 +614,7 @@ int fserve_client_create (client_t *http
 
     stats_event_inc (NULL, "file_connections");
     fserve_add_client (httpclient, file);
+    free (filtered_path);
 
     return 0;
 
@@ -603,6 +624,7 @@ fail:
     sock_write (httpclient->con->sock, 
             "HTTP/1.0 416 Request Range Not Satisfiable\r\n\r\n");
     client_destroy (httpclient);
+    free (filtered_path);
     return -1;
 }