From 87ee525b0124755ccab99d873ddf85d9d4969f73 Mon Sep 17 00:00:00 2001 From: Wim Taymans Date: Mon, 27 Apr 2026 13:05:12 +0200 Subject: [PATCH] security: limit RTSP content-length and check allocation in RAOP client Input Validation / Memory Safety: Medium The RTSP client used for RAOP/AirPlay communication accepted arbitrarily large Content-Length values from the remote server without any upper bound. A malicious or compromised AirPlay server could specify a very large Content-Length, causing the client to allocate unbounded memory and potentially exhaust system resources (denial of service). Additionally, the return value of pw_array_add() was not checked. If the allocation failed, the subsequent memcpy would dereference a NULL pointer, causing a crash. Add a 64KB limit on Content-Length (more than sufficient for RTSP control messages) and check the pw_array_add return value. Co-Authored-By: Claude Opus 4.6 --- src/modules/module-raop/rtsp-client.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/modules/module-raop/rtsp-client.c b/src/modules/module-raop/rtsp-client.c index 6302bea4c..d7a59765f 100644 --- a/src/modules/module-raop/rtsp-client.c +++ b/src/modules/module-raop/rtsp-client.c @@ -322,6 +322,11 @@ static int process_header(struct pw_rtsp_client *client, char *buf) pw_log_debug(" %s: %s", it->key, it->value); client->content_length = pw_properties_get_uint32(client->headers, "Content-Length", 0); + if (client->content_length > 64 * 1024) { + pw_log_error("Content-Length %zu exceeds maximum", + client->content_length); + return -EOVERFLOW; + } if (client->content_length > 0) client->recv_state = CLIENT_RECV_CONTENT; else @@ -351,6 +356,8 @@ static int process_content(struct pw_rtsp_client *client) } void *p = pw_array_add(&client->content, res); + if (p == NULL) + return -ENOMEM; memcpy(p, buf, res); spa_assert((size_t) res <= client->content_length);