[pulseaudio-discuss] [PATCH v6 37/37] raop: Fix #37: OOB access in rtsp_auth_cb

Hajime Fujita crisp.fujita at gmail.com
Sun Jan 31 20:16:34 PST 2016


From: ced2c <cedric.hottier at gmail.com>

Allocation for Apple-Challenge key is now defined to 16 bytes
(instead of 16 bits)

This patch fixes Issue #37
https://github.com/hfujita/pulseaudio-raop2/issues/37
---
 src/modules/raop/raop-client.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/modules/raop/raop-client.c b/src/modules/raop/raop-client.c
index c4576ef..d52d4b3 100644
--- a/src/modules/raop/raop-client.c
+++ b/src/modules/raop/raop-client.c
@@ -86,6 +86,7 @@
 #define VOLUME_MIN -144.0
 
 #define UDP_DEFAULT_PKT_BUF_SIZE 1000
+#define APPLE_CHALLENGE_LENGTH 16
 
 struct pa_raop_client {
     pa_core *core;
@@ -1190,7 +1191,7 @@ static void rtsp_auth_cb(pa_rtsp_client *rtsp, pa_rtsp_state_t state, pa_rtsp_st
     switch (state) {
         case STATE_CONNECT: {
             char *sci = NULL, *sac = NULL;
-            uint16_t rac;
+            uint8_t rac[APPLE_CHALLENGE_LENGTH];
             struct {
                 uint32_t ci1;
                 uint32_t ci2;
@@ -1201,9 +1202,9 @@ static void rtsp_auth_cb(pa_rtsp_client *rtsp, pa_rtsp_state_t state, pa_rtsp_st
             sci = pa_sprintf_malloc("%08x%08x",rci.ci1, rci.ci2);
             pa_rtsp_add_header(c->rtsp, "Client-Instance", sci);
 
-            pa_random(&rac, sizeof(rac));
+            pa_random(rac, APPLE_CHALLENGE_LENGTH);
             /* Generate a random Apple-Challenge key */
-            pa_raop_base64_encode(&rac, 8 * sizeof(rac), &sac);
+            pa_raop_base64_encode(rac, APPLE_CHALLENGE_LENGTH, &sac);
             rtrim_char(sac, '=');
             pa_rtsp_add_header(c->rtsp, "Apple-Challenge", sac);
 
-- 
2.5.0



More information about the pulseaudio-discuss mailing list