Bug: Stack-buffer-overflow on RTSPServer::RTSPClientConnection::handleRequestBytes(int) in RTSPServer.cpp

[Fanny-wen]

seed.zip

Build

1. Modify the config.linux：

COMPILE_OPTS =          $(INCLUDES) -I/usr/local/include -I. -O2 -DSOCKLEN_T=socklen_t -DNO_STD_LIB -D_LARGEFILE_SOURCE=1 -D_FILE_OFFSET_BITS=64 -DALLOW_RTSP_SERVER_PORT_REUSE=1
C =                     c
C_COMPILER =             **/path/to**/aflnet/afl-clang-fast
C_FLAGS =               $(COMPILE_OPTS) $(CPPFLAGS) $(CFLAGS)
CPP =                   cpp
CPLUSPLUS_COMPILER =    **/path/to**/aflnet/afl-clang-fast++
CPLUSPLUS_FLAGS =       $(COMPILE_OPTS) -Wall -DBSD=1 $(CPPFLAGS) $(CXXFLAGS)
OBJ =                   o
LINK =                   **/path/to**/aflnet/afl-clang-fast++ -o
LINK_OPTS =             -L. $(LDFLAGS)
CONSOLE_LINK_OPTS =     $(LINK_OPTS)
LIBRARY_LINK =          ar cr
LIBRARY_LINK_OPTS =
LIB_SUFFIX =                    a
LIBS_FOR_CONSOLE_APPLICATION = -lssl -lcrypto
LIBS_FOR_GUI_APPLICATION =
EXE =

2. Generate Makefile
   ./genMakefiles linux
3. Compile the source
   make clean all

Attack

1. Starting the testOnDemandRTSPServer with valgrind
   valgrind ./testOnDemandRTSPServer
2. Sending the Packet
   /path/to/aflnet/aflnet-replay seed1 RTSP 8554

Description
Here is the valgrind report:

==626== Conditional jump or move depends on uninitialised value(s)
==626==    at 0x40C98A: RTSPServer::RTSPClientConnection::handleRequestBytes(int) (RTSPServer.cpp:843)
==626==    by 0x4AD05B: GenericMediaServer::ClientConnection::incomingRequestHandler() (GenericMediaServer.cpp:323)
==626==    by 0x4E8EF2: BasicTaskScheduler::SingleStep(unsigned int) (BasicTaskScheduler.cpp:171)
==626==    by 0x4ED2EB: BasicTaskScheduler0::doEventLoop(char volatile*) (BasicTaskScheduler0.cpp:87)
==626==    by 0x40541D: main (testOnDemandRTSPServer.cpp:462)
==626== 
==626== Conditional jump or move depends on uninitialised value(s)
==626==    at 0x40CAC2: RTSPServer::RTSPClientConnection::handleRequestBytes(int) (RTSPServer.cpp:864)
==626==    by 0x4AD05B: GenericMediaServer::ClientConnection::incomingRequestHandler() (GenericMediaServer.cpp:323)
==626==    by 0x4E8EF2: BasicTaskScheduler::SingleStep(unsigned int) (BasicTaskScheduler.cpp:171)
==626==    by 0x4ED2EB: BasicTaskScheduler0::doEventLoop(char volatile*) (BasicTaskScheduler0.cpp:87)
==626==    by 0x40541D: main (testOnDemandRTSPServer.cpp:462)
==626== 
^C==626== 
==626== Process terminating with default action of signal 2 (SIGINT)
==626==    at 0x502819A: select (select.c:41)
==626==    by 0x4E878F: BasicTaskScheduler::SingleStep(unsigned int) (BasicTaskScheduler.cpp:90)
==626==    by 0x4ED2EB: BasicTaskScheduler0::doEventLoop(char volatile*) (BasicTaskScheduler0.cpp:87)
==626==    by 0x40541D: main (testOnDemandRTSPServer.cpp:462)
==626== 
==626== HEAP SUMMARY:
==626==     in use at exit: 25,450 bytes in 368 blocks
==626==   total heap usage: 25,870 allocs, 25,502 frees, 47,852,551 bytes allocated
==626== 
==626== LEAK SUMMARY:
==626==    definitely lost: 0 bytes in 0 blocks
==626==    indirectly lost: 0 bytes in 0 blocks
==626==      possibly lost: 0 bytes in 0 blocks
==626==    still reachable: 25,450 bytes in 368 blocks
==626==         suppressed: 0 bytes in 0 blocks
==626== Rerun with --leak-check=full to see details of leaked memory
==626== 
==626== Use --track-origins=yes to see where uninitialised values come from
==626== For lists of detected and suppressed errors, rerun with: -s
==626== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0)

[Fanny-wen]

poc.zip

Another Stack-buffer-overflow on MatroskaFileParser::stopAnyDeliveryForTrack(unsigned int) in MatroskaFileParser.cpp

Attack

1. Starting the testOnDemandRTSPServer with valgrind
   valgrind ./testOnDemandRTSPServer
2. Sending the Packet
   /path/to/aflnet/aflnet-replay poc RTSP 8554

Description
Here is the valgrind report:

==1907== Conditional jump or move depends on uninitialised value(s)
==1907==    at 0x4B9A3F: MatroskaFileParser::stopAnyDeliveryForTrack(unsigned int) (MatroskaFileParser.cpp:94)
==1907==    by 0x4B8A12: MatroskaDemux::removeTrack(unsigned int) (MatroskaFile.cpp:918)
==1907==    by 0x4C2BC4: MatroskaDemuxedTrack::~MatroskaDemuxedTrack() (MatroskaDemuxedTrack.cpp:36)
==1907==    by 0x4C2C4C: MatroskaDemuxedTrack::~MatroskaDemuxedTrack() (MatroskaDemuxedTrack.cpp:35)
==1907==    by 0x4559CB: MediaLookupTable::remove(char const*) (Media.cpp:152)
==1907==    by 0x455A9F: close (Media.cpp:58)
==1907==    by 0x455A9F: Medium::close(Medium*) (Media.cpp:64)
==1907==    by 0x456B4E: FramedFilter::~FramedFilter() (FramedFilter.cpp:40)
==1907==    by 0x468821: ~H264VideoStreamDiscreteFramer (H264VideoStreamDiscreteFramer.cpp:42)
==1907==    by 0x468821: H264VideoStreamDiscreteFramer::~H264VideoStreamDiscreteFramer() (H264VideoStreamDiscreteFramer.cpp:41)
==1907==    by 0x4559CB: MediaLookupTable::remove(char const*) (Media.cpp:152)
==1907==    by 0x455A9F: close (Media.cpp:58)
==1907==    by 0x455A9F: Medium::close(Medium*) (Media.cpp:64)
==1907==    by 0x4AE62A: OnDemandServerMediaSubsession::sdpLines(int) (OnDemandServerMediaSubsession.cpp:103)
==1907==    by 0x4356F6: ServerMediaSession::generateSDPDescription(int) (ServerMediaSession.cpp:254)
==1907== 
^C==1907== 
==1907== Process terminating with default action of signal 2 (SIGINT)
==1907==    at 0x502819A: select (select.c:41)
==1907==    by 0x4E87BF: BasicTaskScheduler::SingleStep(unsigned int) (BasicTaskScheduler.cpp:90)
==1907==    by 0x4ED31B: BasicTaskScheduler0::doEventLoop(char volatile*) (BasicTaskScheduler0.cpp:87)
==1907==    by 0x40541D: main (testOnDemandRTSPServer.cpp:462)
==1907== 
==1907== HEAP SUMMARY:
==1907==     in use at exit: 38,174,837 bytes in 1,138 blocks
==1907==   total heap usage: 5,969 allocs, 4,831 frees, 50,919,572 bytes allocated
==1907== 
==1907== LEAK SUMMARY:
==1907==    definitely lost: 0 bytes in 0 blocks
==1907==    indirectly lost: 0 bytes in 0 blocks
==1907==      possibly lost: 0 bytes in 0 blocks
==1907==    still reachable: 38,174,837 bytes in 1,138 blocks
==1907==         suppressed: 0 bytes in 0 blocks
==1907== Rerun with --leak-check=full to see details of leaked memory
==1907== 
==1907== Use --track-origins=yes to see where uninitialised values come from
==1907== For lists of detected and suppressed errors, rerun with: -s
==1907== ERROR SUMMARY: 2 errors from 1 contexts (suppressed: 0 from 0)