[Live-devel] Vulnerabilities in RTPInterface::handleRead()
Brain Lai
brainlai at gmail.com
Tue Apr 8 03:04:23 PDT 2008
Dear Sir:
In RTPInterface::handleRead(), the following code may cause vulnerabilities
due to type inconsistency:
Boolean RTPInterface::handleRead(unsigned char* buffer,
unsigned bufferMaxSize,
unsigned& bytesRead,
struct sockaddr_in& fromAddress) {
......
unsigned curBytesRead;
while ((curBytesRead = readSocket(envir(), fNextTCPReadStreamSocketNum,
&buffer[bytesRead], curBytesToRead,
fromAddress)) > 0) {
bytesRead += curBytesRead;
if (bytesRead >= totBytesToRead) break;
curBytesToRead -= curBytesRead;
}
if (curBytesRead <= 0) {
bytesRead = 0;
readSuccess = False;
RTPOverTCP_OK = False; // HACK #####
} else {
readSuccess = True;
}
.......
}
Here, ReadSocket() returns int while curBytesRead is declared unsigned. If
ReadSocket() returns -1, the above code may cause problem.
BR.
Brain Lai
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.live555.com/pipermail/live-devel/attachments/20080408/8b97ca53/attachment-0001.html
More information about the live-devel
mailing list