[pulseaudio-discuss] [PATCH] rtsp-client: Fix rtp_port reading.

David Henningsson david.henningsson at canonical.com
Thu Mar 29 23:52:19 PDT 2012


On 03/29/2012 03:03 PM, Tanu Kaskinen wrote:
> pa_atou() return value was not checked, and the cast of a
> 16-bit variable pointer to a 32-bit variable pointer could
> corrupt cseq.

Good catch. Ack.

> ---
>   src/modules/rtp/rtsp_client.c |   12 ++++++++++--
>   1 files changed, 10 insertions(+), 2 deletions(-)
>
> diff --git a/src/modules/rtp/rtsp_client.c b/src/modules/rtp/rtsp_client.c
> index 71692c2..675b5d4 100644
> --- a/src/modules/rtp/rtsp_client.c
> +++ b/src/modules/rtp/rtsp_client.c
> @@ -143,9 +143,17 @@ static void headers_read(pa_rtsp_client *c) {
>
>           /* Now parse out the server port component of the response. */
>           while ((token = pa_split(c->transport, delimiters,&token_state))) {
> -            if ((pc = strstr(token, "="))) {
> +            if ((pc = strchr(token, '='))) {
>                   if (0 == strncmp(token, "server_port", 11)) {
> -                    pa_atou(pc+1, (uint32_t*)(&c->rtp_port));
> +                    uint32_t p;
> +
> +                    if (pa_atou(pc + 1,&p)<  0 || p<= 0 || p>= 0x10000) {
> +                        pa_log("Invalid SETUP response (invalid server_port).");
> +                        pa_xfree(token);
> +                        return;
> +                    }
> +
> +                    c->rtp_port = p;
>                       pa_xfree(token);
>                       break;
>                   }



-- 
David Henningsson, Canonical Ltd.
http://launchpad.net/~diwic


More information about the pulseaudio-discuss mailing list