gstrtspconnection: Security loophole making heap overflow The former code allowed an attacker to create a heap overflow by sending a longer than allowed session id in a response and including a semicolon to change the maximum length. With this change, the parser will never go beyond 512 bytes.

commit: a6f8cbfb6e8e1764b397dbcd08888c54b426bdf2 [log] [tgz]
author: Tobias Ronge <tobiasr@axis.com> Thu Mar 14 10:12:27 2019 +0100
committer: Jonas Larsson <ljonas@google.com> Tue Nov 17 12:35:52 2020 -0800
tree: a94b65bb3ce6cb4f8c2552e9b41e8adf63617c1f
parent: 384ff7d0268c71e76f7328a9ca6dfe96e4a3ab23 [diff]
diff --git a/gst-libs/gst/rtsp/gstrtspconnection.c b/gst-libs/gst/rtsp/gstrtspconnection.c
index 76ae7d4..81239dc 100644
--- a/gst-libs/gst/rtsp/gstrtspconnection.c
+++ b/gst-libs/gst/rtsp/gstrtspconnection.c

@@ -2128,7 +2128,7 @@
           maxlen = sizeof (conn->session_id) - 1;
           /* the sessionid can have attributes marked with ;
            * Make sure we strip them */
-          for (i = 0; session_id[i] != '\0'; i++) {
+          for (i = 0; i < maxlen && session_id[i] != '\0'; i++) {
             if (session_id[i] == ';') {
               maxlen = i;
               /* parse timeout */
commit	a6f8cbfb6e8e1764b397dbcd08888c54b426bdf2	[log] [tgz]
author	Tobias Ronge <tobiasr@axis.com>	Thu Mar 14 10:12:27 2019 +0100
committer	Jonas Larsson <ljonas@google.com>	Tue Nov 17 12:35:52 2020 -0800
tree	a94b65bb3ce6cb4f8c2552e9b41e8adf63617c1f
parent	384ff7d0268c71e76f7328a9ca6dfe96e4a3ab23 [diff]