Fix: Worked around buffer overflows in URL auth's cURL interface

This is only a workaround that keeps compatibility with 2.4.x mainline. A real fix has been implemented in 2.5.x (master).
2024-09-22 04:15:54 -04:00 · 2018-10-28 10:42:33 +00:00 · 2018-10-28 10:42:33 +00:00 · 03ea74c04a
commit 03ea74c04a
parent e49086aaf6
1 changed files with 36 additions and 18 deletions
--- a/src/auth_url.c
+++ b/src/auth_url.c
@ -141,34 +141,52 @@ static int my_getpass(void *client, char *prompt, char *buffer, int buflen)
 static size_t handle_returned_header (void *ptr, size_t size, size_t nmemb, void *stream)
 {
    auth_client *auth_user = stream;
-    size_t bytes = size * nmemb;
+    size_t len = size * nmemb;
    client_t *client = auth_user->client;

-    if (client)
-    {
+    if (client) {
        auth_t *auth = client->auth;
        auth_url *url = auth->state;
-        if (strncasecmp (ptr, url->auth_header, url->auth_header_len) == 0)
+
+        if (url->auth_header && len >= url->auth_header_len && strncasecmp(ptr, url->auth_header, url->auth_header_len) == 0)
            client->authenticated = 1;
-        if (strncasecmp (ptr, url->timelimit_header, url->timelimit_header_len) == 0)
-        {
+
+        if (url->timelimit_header && len > url->timelimit_header_len && strncasecmp(ptr, url->timelimit_header, url->timelimit_header_len) == 0) {
+            const char *input = ptr;
            unsigned int limit = 0;
-            sscanf ((char *)ptr+url->timelimit_header_len, "%u\r\n", &limit);
-            client->con->discon_time = time(NULL) + limit;
+
+            if (len >= 2 && input[len - 2] == '\r' && input[len - 1] == '\n') {
+                input += url->timelimit_header_len;
+
+                if (sscanf(input, "%u\r\n", &limit) == 1) {
+                    client->con->discon_time = time(NULL) + limit;
+                } else {
+                    ICECAST_LOG_ERROR("Auth backend returned invalid timeline header: Can not parse limit");
+                }
+            } else {
+                ICECAST_LOG_ERROR("Auth backend returned invalid timelimit header.");
+            }
        }
-        if (strncasecmp (ptr, "icecast-auth-message: ", 22) == 0)
-        {
-            char *eol;
-            snprintf (url->errormsg, sizeof (url->errormsg), "%s", (char*)ptr+22);
-            eol = strchr (url->errormsg, '\r');
-            if (eol == NULL)
-                eol = strchr (url->errormsg, '\n');
-            if (eol)
-                *eol = '\0';
+
+        if (len > 24 && strncasecmp(ptr, "icecast-auth-message: ", 22) == 0) {
+            const char *input = ptr;
+            size_t copy_len = len - 24 + 1; /* length of string plus \0-termination */
+
+            if (copy_len > sizeof(url->errormsg)) {
+                copy_len = sizeof(url->errormsg);
+            }
+
+            if (len >= 2 && input[len - 2] == '\r' && input[len - 1] == '\n') {
+                input += 22;
+                memcpy(url->errormsg, input, copy_len);
+                url->errormsg[copy_len-1] = 0;
+            } else {
+                ICECAST_LOG_ERROR("Auth backend returned invalid message header.");
+            }
        }
    }

-    return bytes;
+    return len;
 }

 /* capture returned data, but don't do anything with it */