cURL / Mailing Lists / curl-library / Single Mail

curl-library

bug in RTSP handling in curl 7.35.0 and earlier

From: <mhasselberg_at_versanet.de>
Date: Thu, 20 Mar 2014 10:59:07 +0100 (CET)

Hi,
there seems to be a bug in RSTP handling of libcurl.
In curl-7.35.0 and earlier versions the "Session" tag is being handled
improperly.

In file lib/rtsp.c, function Curl_rtsp_parseheader, lines 765+ you find

765 /* Find the first non-space letter */
766 start = header + 9;
767 while(*start && ISSPACE(*start))
768 start++;

where start points to the "Session:" tag.
However RFC2326 does not state usage nor necessity of whitespace in Session tag
(see clause 12.37):

Session = "Session" ":" session-id [ ";" "timeout" "=" delta-seconds ]

There are 2 issues indueced here:
First is that the session-id is truncated by one character at start if there is
no
whitespace after the colon.
This is the case and has been observed using SAT>IP recevier Triax TSS400.

Second is that if there is a blank session-id, the pointer is set up behind the
valid data buffer (offset by one error) and thus will point to data regions not
intended.

Fix should be

765 /* Find the first non-space letter */
766 start = header + 8;
767 while(*start && ISSPACE(*start))
768 start++;

Best regards and thanks
Mike

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-03-20