Skip to content

Commit 45b33d9

Browse files
Pavel Siskaxsiska12
Pavel Siska
authored and
xsiska12
committed
rtsp: Check payload length during parsing.
1 parent e41dcb2 commit 45b33d9

File tree

1 file changed

+36
-10
lines changed

1 file changed

+36
-10
lines changed

process/rtsp.cpp

Lines changed: 36 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -49,6 +49,7 @@
4949
#include <unirec/unirec.h>
5050
#endif
5151

52+
#include "common.hpp"
5253
#include "rtsp.hpp"
5354

5455
namespace ipxp {
@@ -204,6 +205,7 @@ bool RTSPPlugin::parse_rtsp_request(const char *data, int payload_len, RecordExt
204205
const char *begin;
205206
const char *end;
206207
const char *keyval_delimiter;
208+
size_t remaining;
207209

208210
total++;
209211

@@ -226,14 +228,20 @@ bool RTSPPlugin::parse_rtsp_request(const char *data, int payload_len, RecordExt
226228
*/
227229

228230
/* Find begin of URI. */
229-
begin = strchr(data, ' ');
231+
begin = static_cast<const char *>(memchr(data, ' ', payload_len));
230232
if (begin == nullptr) {
231233
DEBUG_MSG("Parser quits:\tnot a rtsp request header\n");
232234
return false;
233235
}
234236

235237
/* Find end of URI. */
236-
end = strchr(begin + 1, ' ');
238+
239+
if (check_payload_len(payload_len, (begin + 1) - data)) {
240+
DEBUG_MSG("Parser quits:\tpayload end\n");
241+
return false;
242+
}
243+
remaining = payload_len - ((begin + 1) - data);
244+
end = static_cast<const char *>(memchr(begin + 1, ' ', remaining));
237245
if (end == nullptr) {
238246
DEBUG_MSG("Parser quits:\trequest is fragmented\n");
239247
return false;
@@ -260,7 +268,12 @@ bool RTSPPlugin::parse_rtsp_request(const char *data, int payload_len, RecordExt
260268
DEBUG_MSG("\tURI: %s\n", rec->uri);
261269

262270
/* Find begin of next line after request line. */
263-
begin = strchr(end, RTSP_LINE_DELIMITER);
271+
if (check_payload_len(payload_len, end - data)) {
272+
DEBUG_MSG("Parser quits:\tpayload end\n");
273+
return false;
274+
}
275+
remaining = payload_len - (end - data);
276+
begin = static_cast<const char *>(memchr(end, RTSP_LINE_DELIMITER, remaining));
264277
if (begin == nullptr) {
265278
DEBUG_MSG("Parser quits:\tNo line delim after request line\n");
266279
return false;
@@ -279,8 +292,9 @@ bool RTSPPlugin::parse_rtsp_request(const char *data, int payload_len, RecordExt
279292
rec->user_agent[0] = 0;
280293
/* Process headers. */
281294
while (begin - data < payload_len) {
282-
end = strchr(begin, RTSP_LINE_DELIMITER);
283-
keyval_delimiter = strchr(begin, RTSP_KEYVAL_DELIMITER);
295+
remaining = payload_len - (begin - data);
296+
end = static_cast<const char *>(memchr(begin, RTSP_LINE_DELIMITER, remaining));
297+
keyval_delimiter = static_cast<const char *>(memchr(begin, RTSP_KEYVAL_DELIMITER, remaining));
284298

285299
int tmp = end - begin;
286300
if (tmp == 0 || tmp == 1) { /* Check for blank line with \r\n or \n ending. */
@@ -325,6 +339,7 @@ bool RTSPPlugin::parse_rtsp_response(const char *data, int payload_len, RecordEx
325339
const char *begin;
326340
const char *end;
327341
const char *keyval_delimiter;
342+
size_t remaining;
328343
int code;
329344

330345
total++;
@@ -354,14 +369,19 @@ bool RTSPPlugin::parse_rtsp_response(const char *data, int payload_len, RecordEx
354369
*/
355370

356371
/* Find begin of status code. */
357-
begin = strchr(data, ' ');
372+
begin = static_cast<const char *>(memchr(data, ' ', payload_len));
358373
if (begin == nullptr) {
359374
DEBUG_MSG("Parser quits:\tnot a rtsp response header\n");
360375
return false;
361376
}
362377

363378
/* Find end of status code. */
364-
end = strchr(begin + 1, ' ');
379+
if (check_payload_len(payload_len, (begin + 1) - data)) {
380+
DEBUG_MSG("Parser quits:\tpayload end\n");
381+
return false;
382+
}
383+
remaining = payload_len - ((begin + 1) - data);
384+
end = static_cast<const char *>(memchr(begin + 1, ' ', remaining));
365385
if (end == nullptr) {
366386
DEBUG_MSG("Parser quits:\tresponse is fragmented\n");
367387
return false;
@@ -385,7 +405,12 @@ bool RTSPPlugin::parse_rtsp_response(const char *data, int payload_len, RecordEx
385405
rec->code = code;
386406

387407
/* Find begin of next line after request line. */
388-
begin = strchr(end, RTSP_LINE_DELIMITER);
408+
if (check_payload_len(payload_len, end - data)) {
409+
DEBUG_MSG("Parser quits:\tpayload end\n");
410+
return false;
411+
}
412+
remaining = payload_len - (end - data);
413+
begin = static_cast<const char *>(memchr(end, RTSP_LINE_DELIMITER, remaining));
389414
if (begin == nullptr) {
390415
DEBUG_MSG("Parser quits:\tNo line delim after request line\n");
391416
return false;
@@ -404,8 +429,9 @@ bool RTSPPlugin::parse_rtsp_response(const char *data, int payload_len, RecordEx
404429
rec->content_type[0] = 0;
405430
/* Process headers. */
406431
while (begin - data < payload_len) {
407-
end = strchr(begin, RTSP_LINE_DELIMITER);
408-
keyval_delimiter = strchr(begin, RTSP_KEYVAL_DELIMITER);
432+
remaining = payload_len - (begin - data);
433+
end = static_cast<const char *>(memchr(begin, RTSP_LINE_DELIMITER, remaining));
434+
keyval_delimiter = static_cast<const char *>(memchr(begin, RTSP_KEYVAL_DELIMITER, remaining));
409435

410436
int tmp = end - begin;
411437
if (tmp == 0 || tmp == 1) { /* Check for blank line with \r\n or \n ending. */

0 commit comments

Comments
 (0)