live555 icon indicating copy to clipboard operation
live555 copied to clipboard

Published 20 hours ago verified publisher icon rgaufman

There is a memory leak in function parseAuthorizationHeader, which can cause a DoS

Open zounathan opened this issue 5 years ago • 2 comments

In the lastest version of live555, there is a memory leak issue. The attacker can make the server crash with this issue.

when parse the setup packet with many username fileds, the value of username will be duplicated many times at [1]. The pointers of username value can't be freed ever, except for the last one. The fileds realm nonce uri response have the same problem.

static Boolean parseAuthorizationHeader(char const* buf,
					char const*& username,
					char const*& realm,
					char const*& nonce, char const*& uri,
					char const*& response) {
  // Initialize the result parameters to default values:
  username = realm = nonce = uri = response = NULL;
  
  // First, find "Authorization:"
  while (1) {
    if (*buf == '\0') return False; // not found
    if (_strncasecmp(buf, "Authorization: Digest ", 22) == 0) break;
    ++buf;
  }
  
  // Then, run through each of the fields, looking for ones we handle:
  char const* fields = buf + 22;
  while (*fields == ' ') ++fields;
  char* parameter = strDupSize(fields);
  char* value = strDupSize(fields);
  while (1) {
    value[0] = '\0';
    if (sscanf(fields, "%[^=]=\"%[^\"]\"", parameter, value) != 2 &&
	sscanf(fields, "%[^=]=\"\"", parameter) != 1) {
      break;
    }
    if (strcmp(parameter, "username") == 0) {
      username = strDup(value);    //[1]
    } else if (strcmp(parameter, "realm") == 0) {
      realm = strDup(value);
    } else if (strcmp(parameter, "nonce") == 0) {
      nonce = strDup(value);
    } else if (strcmp(parameter, "uri") == 0) {
      uri = strDup(value);
    } else if (strcmp(parameter, "response") == 0) {
      response = strDup(value);
    }
    
    fields += strlen(parameter) + 2 /*="*/ + strlen(value) + 1 /*"*/;
    while (*fields == ',' || *fields == ' ') ++fields;
        // skip over any separating ',' and ' ' chars
    if (*fields == '\0' || *fields == '\r' || *fields == '\n') break;
  }
  delete[] parameter; delete[] value;
  return True;
}

zounathan avatar Feb 11 '19 04:02 zounathan

This was assigned CVE-2019-7732.

nluedtke avatar Feb 11 '19 22:02 nluedtke

This bug report was rejected by upstream, please close:

http://lists.live555.com/pipermail/live-devel/2019-May/021218.html

hlef avatar May 12 '19 05:05 hlef