[pulseaudio-discuss] [PATCH v6 37/37] raop: Fix #37: OOB access in rtsp_auth_cb
Hajime Fujita
crisp.fujita at gmail.com
Sun Jan 31 20:16:34 PST 2016
From: ced2c <cedric.hottier at gmail.com>
Allocation for Apple-Challenge key is now defined to 16 bytes
(instead of 16 bits)
This patch fixes Issue #37
https://github.com/hfujita/pulseaudio-raop2/issues/37
---
src/modules/raop/raop-client.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/src/modules/raop/raop-client.c b/src/modules/raop/raop-client.c
index c4576ef..d52d4b3 100644
--- a/src/modules/raop/raop-client.c
+++ b/src/modules/raop/raop-client.c
@@ -86,6 +86,7 @@
#define VOLUME_MIN -144.0
#define UDP_DEFAULT_PKT_BUF_SIZE 1000
+#define APPLE_CHALLENGE_LENGTH 16
struct pa_raop_client {
pa_core *core;
@@ -1190,7 +1191,7 @@ static void rtsp_auth_cb(pa_rtsp_client *rtsp, pa_rtsp_state_t state, pa_rtsp_st
switch (state) {
case STATE_CONNECT: {
char *sci = NULL, *sac = NULL;
- uint16_t rac;
+ uint8_t rac[APPLE_CHALLENGE_LENGTH];
struct {
uint32_t ci1;
uint32_t ci2;
@@ -1201,9 +1202,9 @@ static void rtsp_auth_cb(pa_rtsp_client *rtsp, pa_rtsp_state_t state, pa_rtsp_st
sci = pa_sprintf_malloc("%08x%08x",rci.ci1, rci.ci2);
pa_rtsp_add_header(c->rtsp, "Client-Instance", sci);
- pa_random(&rac, sizeof(rac));
+ pa_random(rac, APPLE_CHALLENGE_LENGTH);
/* Generate a random Apple-Challenge key */
- pa_raop_base64_encode(&rac, 8 * sizeof(rac), &sac);
+ pa_raop_base64_encode(rac, APPLE_CHALLENGE_LENGTH, &sac);
rtrim_char(sac, '=');
pa_rtsp_add_header(c->rtsp, "Apple-Challenge", sac);
--
2.5.0
More information about the pulseaudio-discuss
mailing list