Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug: Stack-buffer-overflow on RTSPServer::RTSPClientConnection::handleRequestBytes(int) in RTSPServer.cpp #56

Open
Fanny-wen opened this issue Feb 24, 2025 · 1 comment
Open

Bug: Stack-buffer-overflow on RTSPServer::RTSPClientConnection::handleRequestBytes(int) in RTSPServer.cpp #56

Fanny-wen opened this issue Feb 24, 2025 · 1 comment

Comments

@Fanny-wen
Copy link

Fanny-wen commented Feb 24, 2025
edited
Loading

seed.zip

Build

  1. Modify the config.linux:
COMPILE_OPTS =          $(INCLUDES) -I/usr/local/include -I. -O2 -DSOCKLEN_T=socklen_t -DNO_STD_LIB -D_LARGEFILE_SOURCE=1 -D_FILE_OFFSET_BITS=64 -DALLOW_RTSP_SERVER_PORT_REUSE=1
C =                     c
C_COMPILER =             **/path/to**/aflnet/afl-clang-fast
C_FLAGS =               $(COMPILE_OPTS) $(CPPFLAGS) $(CFLAGS)
CPP =                   cpp
CPLUSPLUS_COMPILER =    **/path/to**/aflnet/afl-clang-fast++
CPLUSPLUS_FLAGS =       $(COMPILE_OPTS) -Wall -DBSD=1 $(CPPFLAGS) $(CXXFLAGS)
OBJ =                   o
LINK =                   **/path/to**/aflnet/afl-clang-fast++ -o
LINK_OPTS =             -L. $(LDFLAGS)
CONSOLE_LINK_OPTS =     $(LINK_OPTS)
LIBRARY_LINK =          ar cr
LIBRARY_LINK_OPTS =
LIB_SUFFIX =                    a
LIBS_FOR_CONSOLE_APPLICATION = -lssl -lcrypto
LIBS_FOR_GUI_APPLICATION =
EXE =
  1. Generate Makefile
    ./genMakefiles linux
  2. Compile the source
    make clean all

Attack

  1. Starting the testOnDemandRTSPServer with valgrind
    valgrind ./testOnDemandRTSPServer
  2. Sending the Packet
    /path/to/aflnet/aflnet-replay seed1 RTSP 8554

Description
Here is the valgrind report:

==626== Conditional jump or move depends on uninitialised value(s)
==626==    at 0x40C98A: RTSPServer::RTSPClientConnection::handleRequestBytes(int) (RTSPServer.cpp:843)
==626==    by 0x4AD05B: GenericMediaServer::ClientConnection::incomingRequestHandler() (GenericMediaServer.cpp:323)
==626==    by 0x4E8EF2: BasicTaskScheduler::SingleStep(unsigned int) (BasicTaskScheduler.cpp:171)
==626==    by 0x4ED2EB: BasicTaskScheduler0::doEventLoop(char volatile*) (BasicTaskScheduler0.cpp:87)
==626==    by 0x40541D: main (testOnDemandRTSPServer.cpp:462)
==626== 
==626== Conditional jump or move depends on uninitialised value(s)
==626==    at 0x40CAC2: RTSPServer::RTSPClientConnection::handleRequestBytes(int) (RTSPServer.cpp:864)
==626==    by 0x4AD05B: GenericMediaServer::ClientConnection::incomingRequestHandler() (GenericMediaServer.cpp:323)
==626==    by 0x4E8EF2: BasicTaskScheduler::SingleStep(unsigned int) (BasicTaskScheduler.cpp:171)
==626==    by 0x4ED2EB: BasicTaskScheduler0::doEventLoop(char volatile*) (BasicTaskScheduler0.cpp:87)
==626==    by 0x40541D: main (testOnDemandRTSPServer.cpp:462)
==626== 
^C==626== 
==626== Process terminating with default action of signal 2 (SIGINT)
==626==    at 0x502819A: select (select.c:41)
==626==    by 0x4E878F: BasicTaskScheduler::SingleStep(unsigned int) (BasicTaskScheduler.cpp:90)
==626==    by 0x4ED2EB: BasicTaskScheduler0::doEventLoop(char volatile*) (BasicTaskScheduler0.cpp:87)
==626==    by 0x40541D: main (testOnDemandRTSPServer.cpp:462)
==626== 
==626== HEAP SUMMARY:
==626==     in use at exit: 25,450 bytes in 368 blocks
==626==   total heap usage: 25,870 allocs, 25,502 frees, 47,852,551 bytes allocated
==626== 
==626== LEAK SUMMARY:
==626==    definitely lost: 0 bytes in 0 blocks
==626==    indirectly lost: 0 bytes in 0 blocks
==626==      possibly lost: 0 bytes in 0 blocks
==626==    still reachable: 25,450 bytes in 368 blocks
==626==         suppressed: 0 bytes in 0 blocks
==626== Rerun with --leak-check=full to see details of leaked memory
==626== 
==626== Use --track-origins=yes to see where uninitialised values come from
==626== For lists of detected and suppressed errors, rerun with: -s
==626== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0)
@Fanny-wen
Copy link
Author

Fanny-wen commented Feb 25, 2025
edited
Loading

poc.zip

Another Stack-buffer-overflow on MatroskaFileParser::stopAnyDeliveryForTrack(unsigned int) in MatroskaFileParser.cpp

Attack

  1. Starting the testOnDemandRTSPServer with valgrind
    valgrind ./testOnDemandRTSPServer
  2. Sending the Packet
    /path/to/aflnet/aflnet-replay poc RTSP 8554

Description
Here is the valgrind report:

==1907== Conditional jump or move depends on uninitialised value(s)
==1907==    at 0x4B9A3F: MatroskaFileParser::stopAnyDeliveryForTrack(unsigned int) (MatroskaFileParser.cpp:94)
==1907==    by 0x4B8A12: MatroskaDemux::removeTrack(unsigned int) (MatroskaFile.cpp:918)
==1907==    by 0x4C2BC4: MatroskaDemuxedTrack::~MatroskaDemuxedTrack() (MatroskaDemuxedTrack.cpp:36)
==1907==    by 0x4C2C4C: MatroskaDemuxedTrack::~MatroskaDemuxedTrack() (MatroskaDemuxedTrack.cpp:35)
==1907==    by 0x4559CB: MediaLookupTable::remove(char const*) (Media.cpp:152)
==1907==    by 0x455A9F: close (Media.cpp:58)
==1907==    by 0x455A9F: Medium::close(Medium*) (Media.cpp:64)
==1907==    by 0x456B4E: FramedFilter::~FramedFilter() (FramedFilter.cpp:40)
==1907==    by 0x468821: ~H264VideoStreamDiscreteFramer (H264VideoStreamDiscreteFramer.cpp:42)
==1907==    by 0x468821: H264VideoStreamDiscreteFramer::~H264VideoStreamDiscreteFramer() (H264VideoStreamDiscreteFramer.cpp:41)
==1907==    by 0x4559CB: MediaLookupTable::remove(char const*) (Media.cpp:152)
==1907==    by 0x455A9F: close (Media.cpp:58)
==1907==    by 0x455A9F: Medium::close(Medium*) (Media.cpp:64)
==1907==    by 0x4AE62A: OnDemandServerMediaSubsession::sdpLines(int) (OnDemandServerMediaSubsession.cpp:103)
==1907==    by 0x4356F6: ServerMediaSession::generateSDPDescription(int) (ServerMediaSession.cpp:254)
==1907== 
^C==1907== 
==1907== Process terminating with default action of signal 2 (SIGINT)
==1907==    at 0x502819A: select (select.c:41)
==1907==    by 0x4E87BF: BasicTaskScheduler::SingleStep(unsigned int) (BasicTaskScheduler.cpp:90)
==1907==    by 0x4ED31B: BasicTaskScheduler0::doEventLoop(char volatile*) (BasicTaskScheduler0.cpp:87)
==1907==    by 0x40541D: main (testOnDemandRTSPServer.cpp:462)
==1907== 
==1907== HEAP SUMMARY:
==1907==     in use at exit: 38,174,837 bytes in 1,138 blocks
==1907==   total heap usage: 5,969 allocs, 4,831 frees, 50,919,572 bytes allocated
==1907== 
==1907== LEAK SUMMARY:
==1907==    definitely lost: 0 bytes in 0 blocks
==1907==    indirectly lost: 0 bytes in 0 blocks
==1907==      possibly lost: 0 bytes in 0 blocks
==1907==    still reachable: 38,174,837 bytes in 1,138 blocks
==1907==         suppressed: 0 bytes in 0 blocks
==1907== Rerun with --leak-check=full to see details of leaked memory
==1907== 
==1907== Use --track-origins=yes to see where uninitialised values come from
==1907== For lists of detected and suppressed errors, rerun with: -s
==1907== ERROR SUMMARY: 2 errors from 1 contexts (suppressed: 0 from 0)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Fanny-wen