[Live-devel] Vulnerabilities in RTPInterface::handleRead()

Brain Lai Tue, 08 Apr 2008 03:12:57 -0700

Dear Sir:

In RTPInterface::handleRead(), the following code may cause vulnerabilities
due to type inconsistency:


Boolean RTPInterface::handleRead(unsigned char* buffer,
         unsigned bufferMaxSize,
         unsigned& bytesRead,
         struct sockaddr_in& fromAddress) {

......

    unsigned curBytesRead;
    while ((curBytesRead = readSocket(envir(), fNextTCPReadStreamSocketNum,
              &buffer[bytesRead], curBytesToRead,
              fromAddress)) > 0) {
      bytesRead += curBytesRead;
      if (bytesRead >= totBytesToRead) break;
      curBytesToRead -= curBytesRead;
    }
    if (curBytesRead <= 0) {
      bytesRead = 0;
      readSuccess = False;
      RTPOverTCP_OK = False; // HACK #####
    } else {
      readSuccess = True;
    }

.......

}

Here, ReadSocket() returns int while curBytesRead is declared unsigned. If
ReadSocket() returns -1, the above code may cause problem.

BR.
Brain Lai

_______________________________________________
live-devel mailing list
live-devel@lists.live555.com
http://lists.live555.com/mailman/listinfo/live-devel

[Live-devel] Vulnerabilities in RTPInterface::handleRead()

Reply via email to