Potential vulnerability in onvif module due to stale dependencies

[JAremko]

onvif module depends on libgsoap.a and the current version was pushed May 24, 2020 Since then there were a couple of major vulnerability disclosures about the library, including TALOS-2021-1245

Also the code snippet from the report :

soap_decode(char *buf, size_t len, const char *val, const char *sep)
{
  const char *s;
  char *t = buf;
  size_t i = len;
  if (!buf || !val || !sep || len == 0)
    return val;
  for (s = val; *s; s++)
    if (*s != ' ' && *s != '\t' && !strchr(sep, *s))
      break;
  if (len > 0)
  {
    if (*s == '"')
    {
      s++;
      while (*s && *s != '"' && i-- > 1)
        *t++ = *s++;
    }
    else
    {
      while (*s && !strchr(sep, *s) && i-- > 1)
      {
        if (*s == '%' && s[1] && s[2])
        {
          *t++ = ((s[1] >= 'A' ? (s[1] & 0x7) + 9 : s[1] - '0') << 4)
                + (s[2] >= 'A' ? (s[2] & 0x7) + 9 : s[2] - '0');
          s += 3;
        }
        else
          *t++ = *s++;
      }
    }
    buf[len - 1] = '\0'; /* appease static checkers that get confused */
  }
  *t = '\0';
  while (*s && !strchr(sep, *s))
    s++;
  return s;
}

looks very similar ( after translation back into C ) to what you provide in this repo:

byte * soap_decode(byte *param_1,int param_2,byte *param_3,undefined4 param_4)

{
  char cVar1;
  int iVar2;
  char cVar3;
  int iStack24;
  byte *pbStack16;
  byte *pbStack12;
  
  pbStack16 = param_3;
  while ((*pbStack16 != 0 &&
         (((*pbStack16 == 0x20 || (*pbStack16 == 9)) ||
          (iVar2 = strchr(param_4,*pbStack16), iVar2 != 0))))) {
    pbStack16 = pbStack16 + 1;
  }
  iStack24 = param_2;
  pbStack12 = param_1;
  if (*pbStack16 == 0x22) {
    while (((pbStack16 = pbStack16 + 1, *pbStack16 != 0 && (*pbStack16 != 0x22)) &&
           (iStack24 = iStack24 + -1, iStack24 != 0))) {
      *pbStack12 = *pbStack16;
      pbStack12 = pbStack12 + 1;
    }
  }
  else {
    while ((((*pbStack16 != 0 && ((*pbStack16 == 0xffffffff || (0x20 < *pbStack16)))) &&
            (iVar2 = strchr(param_4,*pbStack16), iVar2 == 0)) &&
           (iStack24 = iStack24 + -1, iStack24 != 0))) {
      if (*pbStack16 == 0x25) {
        if (pbStack16[1] < 0x41) {
          cVar1 = (char)((pbStack16[1] - 0x30 & 0xff) << 4);
        }
        else {
          cVar1 = ((pbStack16[1] & 7) + 9) * '\x10';
        }
        if (pbStack16[2] < 0x41) {
          cVar3 = pbStack16[2] - 0x30;
        }
        else {
          cVar3 = (pbStack16[2] & 7) + 9;
        }
        *pbStack12 = cVar1 + cVar3;
        pbStack16 = pbStack16 + 3;
        pbStack12 = pbStack12 + 1;
      }
      else {
        *pbStack12 = *pbStack16;
        pbStack16 = pbStack16 + 1;
        pbStack12 = pbStack12 + 1;
      }
    }
  }
  *pbStack12 = 0;
  while ((*pbStack16 != 0 && (iVar2 = strchr(param_4,*pbStack16), iVar2 == 0))) {
    pbStack16 = pbStack16 + 1;
  }
  return pbStack16;
}

but it's even older version without len check at all :thinking:

[openxv]

Hi JAremko, Thanks for the issue, I will keep it open to remind more people. 1, the code for libgsoap.a is still in 2016, it is very old and is not recommended for use in production. 2, the current /mod/onvif just implements a simple video stream for easy testing. 3. If you need to use Onvif in your production, I recommend using the new Onvif WSDL to generate the base library.

[openxv]

I've already submitted the source code for FW/gSOAP, someone might still be using it, https://github.com/openhisilicon/HIVIEW/commit/4c3c3fe2732d2692c26af706e2ec54a685d28473

[JAremko]

Thanks. The more dependencies are buildable from source the better :+1: