mirrors/pulseaudio
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pulseaudio/pulseaudio.git synced 2025-10-29 05:40:23 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

raop: Fix #37: OOB access in rtsp_auth_cb

Browse source 
Allocation for Apple-Challenge key is now defined to 16 bytes
(instead of 16 bits)

This patch fixes Issue #37
https://github.com/hfujita/pulseaudio-raop2/issues/37
This commit is contained in:
ced2c 2016-11-06 12:54:27 -06:00 committed by Tanu Kaskinen
parent 6aaf2b0a1f
commit b365d7e60c
1 changed files with 4 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

7
src/modules/raop/raop-client.c
View file

@ -86,6 +86,7 @@
#define VOLUME_MIN -144.0
#define UDP_DEFAULT_PKT_BUF_SIZE 1000
#define APPLE_CHALLENGE_LENGTH 16
struct pa_raop_client {
pa_core *core;
@ -1190,7 +1191,7 @@ static void rtsp_auth_cb(pa_rtsp_client *rtsp, pa_rtsp_state_t state, pa_rtsp_st
switch (state) {
case STATE_CONNECT: {
char *sci = NULL, *sac = NULL;
uint16_t rac;
uint8_t rac[APPLE_CHALLENGE_LENGTH];
struct {
uint32_t ci1;
uint32_t ci2;
@ -1201,9 +1202,9 @@ static void rtsp_auth_cb(pa_rtsp_client *rtsp, pa_rtsp_state_t state, pa_rtsp_st
sci = pa_sprintf_malloc("%08x%08x",rci.ci1, rci.ci2);
pa_rtsp_add_header(c->rtsp, "Client-Instance", sci);
pa_random(&rac, sizeof(rac));
pa_random(rac, APPLE_CHALLENGE_LENGTH);
/* Generate a random Apple-Challenge key */
pa_raop_base64_encode(&rac, 8 * sizeof(rac), &sac);
pa_raop_base64_encode(rac, APPLE_CHALLENGE_LENGTH, &sac);
rtrim_char(sac, '=');
pa_rtsp_add_header(c->rtsp, "Apple-Challenge", sac);