mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2026-04-29 06:46:38 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

security: clear RAOP auth nonce and realm before freeing

Browse source 
Information Disclosure: Low

The RAOP module's connection cleanup frees the Digest authentication
nonce and realm strings without clearing them first. The nonce is
cryptographic material used in the Digest auth response, and the realm
is combined with the password to produce the h1 hash. After free(),
this data persists in heap memory and could be recovered through memory
disclosure vulnerabilities or core dumps.

Apply explicit_bzero before freeing, consistent with the existing
treatment of impl->password in the module destroy path.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Wim Taymans 2026-04-24 17:01:43 +02:00
parent a7619fdfdb
commit 83373292f0
1 changed files with 10 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

14
src/modules/module-raop-sink.c
View file

@ -1439,10 +1439,16 @@ static void connection_cleanup(struct impl *impl)
free(impl->auth_method);
impl->auth_method = NULL;
free(impl->realm);
impl->realm = NULL;
free(impl->nonce);
impl->nonce = NULL;
if (impl->realm) {
explicit_bzero(impl->realm, strlen(impl->realm));
free(impl->realm);
impl->realm = NULL;
}
if (impl->nonce) {
explicit_bzero(impl->nonce, strlen(impl->nonce));
free(impl->nonce);
impl->nonce = NULL;
}
}
static void rtsp_disconnected(void *data)