mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2026-04-25 06:46:40 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

security: fix missing strdup NULL checks in RAOP authentication

Browse source 
Memory Safety: High

In rtsp_do_options_auth(), the return values of strdup() for
auth_method, realm, and nonce were not checked for NULL. If strdup()
fails due to memory exhaustion, spa_streq() on auth_method will
dereference NULL, and the realm/nonce pointers will be used later in
MD5_hash() causing NULL pointer dereferences.

Add NULL checks after each strdup() call, returning -ENOMEM on failure.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Wim Taymans 2026-04-23 16:43:26 +02:00
parent 508407b350
commit 440f24f35f
1 changed files with 4 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

4
src/modules/module-raop-sink.c
View file

@ -1332,6 +1332,8 @@ static int rtsp_do_options_auth(struct impl *impl, const struct spa_dict *header
return -EINVAL; return -EINVAL;
impl->auth_method = strdup(tokens[0]); impl->auth_method = strdup(tokens[0]);
if (impl->auth_method == NULL)
return -ENOMEM;
if (spa_streq(impl->auth_method, "Digest")) { if (spa_streq(impl->auth_method, "Digest")) {
realm = find_attr(tokens, "realm"); realm = find_attr(tokens, "realm");
@ -1341,6 +1343,8 @@ static int rtsp_do_options_auth(struct impl *impl, const struct spa_dict *header
impl->realm = strdup(realm); impl->realm = strdup(realm);
impl->nonce = strdup(nonce); impl->nonce = strdup(nonce);
if (impl->realm == NULL || impl->nonce == NULL)
return -ENOMEM;
} }
return rtsp_send(impl, "OPTIONS", NULL, NULL, rtsp_options_auth_reply); return rtsp_send(impl, "OPTIONS", NULL, NULL, rtsp_options_auth_reply);