File icecast-CVE-2018-18820-2.patch of Package icecast
From 03ea74c04a5966114c2fe66e4e6892d11a68181e Mon Sep 17 00:00:00 2001
From: Philipp Schafft <lion@lion.leolix.org>
Date: Sun, 28 Oct 2018 10:42:33 +0000
Subject: [PATCH] Fix: Worked around buffer overflows in URL auth's cURL
interface
This is only a workaround that keeps compatibility with 2.4.x mainline.
A real fix has been implemented in 2.5.x (master).
---
src/auth_url.c | 54 ++++++++++++++++++++++++++++++++++++------------------
1 file changed, 36 insertions(+), 18 deletions(-)
--- a/src/auth_url.c
+++ b/src/auth_url.c
@@ -141,34 +141,52 @@ static int my_getpass(void *client, char
static size_t handle_returned_header (void *ptr, size_t size, size_t nmemb, void *stream)
{
auth_client *auth_user = stream;
- unsigned bytes = size * nmemb;
+ size_t len = size * nmemb;
client_t *client = auth_user->client;
- if (client)
- {
+ if (client) {
auth_t *auth = client->auth;
auth_url *url = auth->state;
- if (strncasecmp (ptr, url->auth_header, url->auth_header_len) == 0)
+
+ if (url->auth_header && len >= url->auth_header_len && strncasecmp(ptr, url->auth_header, url->auth_header_len) == 0)
client->authenticated = 1;
- if (strncasecmp (ptr, url->timelimit_header, url->timelimit_header_len) == 0)
- {
+
+ if (url->timelimit_header && len > url->timelimit_header_len && strncasecmp(ptr, url->timelimit_header, url->timelimit_header_len) == 0) {
+ const char *input = ptr;
unsigned int limit = 0;
- sscanf ((char *)ptr+url->timelimit_header_len, "%u\r\n", &limit);
- client->con->discon_time = time(NULL) + limit;
+
+ if (len >= 2 && input[len - 2] == '\r' && input[len - 1] == '\n') {
+ input += url->timelimit_header_len;
+
+ if (sscanf(input, "%u\r\n", &limit) == 1) {
+ client->con->discon_time = time(NULL) + limit;
+ } else {
+ ICECAST_LOG_ERROR("Auth backend returned invalid timeline header: Can not parse limit");
+ }
+ } else {
+ ICECAST_LOG_ERROR("Auth backend returned invalid timelimit header.");
+ }
}
- if (strncasecmp (ptr, "icecast-auth-message: ", 22) == 0)
- {
- char *eol;
- snprintf (url->errormsg, sizeof (url->errormsg), "%s", (char*)ptr+22);
- eol = strchr (url->errormsg, '\r');
- if (eol == NULL)
- eol = strchr (url->errormsg, '\n');
- if (eol)
- *eol = '\0';
+
+ if (len > 24 && strncasecmp(ptr, "icecast-auth-message: ", 22) == 0) {
+ const char *input = ptr;
+ size_t copy_len = len - 24 + 1; /* length of string plus \0-termination */
+
+ if (copy_len > sizeof(url->errormsg)) {
+ copy_len = sizeof(url->errormsg);
+ }
+
+ if (len >= 2 && input[len - 2] == '\r' && input[len - 1] == '\n') {
+ input += 22;
+ memcpy(url->errormsg, input, copy_len);
+ url->errormsg[copy_len-1] = 0;
+ } else {
+ ICECAST_LOG_ERROR("Auth backend returned invalid message header.");
+ }
}
}
- return (int)bytes;
+ return len;
}
/* capture returned data, but don't do anything with it */
