aniani/icecast-server
1
0
Fork 0
mirror of https://gitlab.xiph.org/xiph/icecast-server.git synced 2024-12-04 14:46:30 -05:00
Code

Fix: Corrected possible bufferoverflows in format_prepare_headers()

Browse Source
This commit is contained in:
Philipp Schafft 2018-10-17 13:07:48 +00:00
parent 548e7963a7
commit 162e3dd650
1 changed files with 20 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
src/format.c
View File

@ -295,7 +295,7 @@ static inline ssize_t __print_var(char *str, size_t remaining, const char *forma
for (i = 0; i < var->values; i++) { for (i = 0; i < var->values; i++) {
ret = snprintf(str + done, remaining - done, format, first, var->value[i]); ret = snprintf(str + done, remaining - done, format, first, var->value[i]);
if (ret == -1) if (ret <= 0 || (size_t)ret >= (remaining - done))
return -1; return -1;
done += ret; done += ret;
@ -331,7 +331,7 @@ static int format_prepare_headers (source_t *source, client_t *client)
client->respcode = 200; client->respcode = 200;
bytes = util_http_build_header(ptr, remaining, 0, 0, 200, NULL, source->format->contenttype, NULL, NULL, source, client); bytes = util_http_build_header(ptr, remaining, 0, 0, 200, NULL, source->format->contenttype, NULL, NULL, source, client);
if (bytes < 0) { if (bytes <= 0) {
ICECAST_LOG_ERROR("Dropping client as we can not build response headers."); ICECAST_LOG_ERROR("Dropping client as we can not build response headers.");
client->respcode = 500; client->respcode = 500;
return -1; return -1;
@ -342,7 +342,7 @@ static int format_prepare_headers (source_t *source, client_t *client)
client->refbuf->data = ptr = new_ptr; client->refbuf->data = ptr = new_ptr;
client->refbuf->len = remaining = bytes + 1024; client->refbuf->len = remaining = bytes + 1024;
bytes = util_http_build_header(ptr, remaining, 0, 0, 200, NULL, source->format->contenttype, NULL, NULL, source, client); bytes = util_http_build_header(ptr, remaining, 0, 0, 200, NULL, source->format->contenttype, NULL, NULL, source, client);
if (bytes == -1 ) { if (bytes <= 0 || (size_t)bytes >= remaining) {
ICECAST_LOG_ERROR("Dropping client as we can not build response headers."); ICECAST_LOG_ERROR("Dropping client as we can not build response headers.");
client->respcode = 500; client->respcode = 500;
return -1; return -1;
@ -354,6 +354,11 @@ static int format_prepare_headers (source_t *source, client_t *client)
} }
} }
if (bytes <= 0 || (size_t)bytes >= remaining) {
ICECAST_LOG_ERROR("Can not allocate headers for client %p", client);
client->respcode = 500;
return -1;
}
remaining -= bytes; remaining -= bytes;
ptr += bytes; ptr += bytes;
@ -421,6 +426,13 @@ static int format_prepare_headers (source_t *source, client_t *client)
} }
} }
if (bytes < 0 || (size_t)bytes >= remaining) {
avl_tree_unlock(source->parser->vars);
ICECAST_LOG_ERROR("Can not allocate headers for client %p", client);
client->respcode = 500;
return -1;
}
remaining -= bytes; remaining -= bytes;
ptr += bytes; ptr += bytes;
if (next) if (next)
@ -429,6 +441,11 @@ static int format_prepare_headers (source_t *source, client_t *client)
avl_tree_unlock(source->parser->vars); avl_tree_unlock(source->parser->vars);
bytes = snprintf(ptr, remaining, "\r\n"); bytes = snprintf(ptr, remaining, "\r\n");
if (bytes <= 0 || (size_t)bytes >= remaining) {
ICECAST_LOG_ERROR("Can not allocate headers for client %p", client);
client->respcode = 500;
return -1;
}
remaining -= bytes; remaining -= bytes;
ptr += bytes; ptr += bytes;