File gst-rtsp-Fix-NULL-pointer.patch of Package gstreamer-rtsp-server

Overview Repositories Revisions Requests Users Attributes Meta

File gst-rtsp-Fix-NULL-pointer.patch of Package gstreamer-rtsp-server

From 44ccca3086dd81081d72ca0b21d0ecdde962fb1a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Mon, 23 Mar 2020 16:06:43 +0200
Subject: [PATCH] rtsp-auth: Fix NULL pointer dereference when handling an
 invalid basic Authorization header

When using the basic authentication scheme, we wouldn't validate that
the authorization field of the credentials is not NULL and pass it on
to g_hash_table_lookup(). g_str_hash() however is not NULL-safe and will
dereference the NULL pointer and crash.
A specially crafted (read: invalid) RTSP header can cause this to
happen.

As a solution, check for the authorization to be not NULL before
continuing processing it and if it is simply fail authentication.

This fixes CVE-2020-6095 and TALOS-2020-1018.

Discovered by Peter Wang of Cisco ASIG.
---
 gst/rtsp-server/rtsp-auth.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gst/rtsp-server/rtsp-auth.c b/gst/rtsp-server/rtsp-auth.c
index ad0be07..b6286e1 100644
--- a/gst/rtsp-server/rtsp-auth.c
+++ b/gst/rtsp-server/rtsp-auth.c
@@ -871,7 +871,7 @@ default_authenticate (GstRTSPAuth * auth, GstRTSPContext * ctx)
 
       GST_DEBUG_OBJECT (auth, "check Basic auth");
       g_mutex_lock (&priv->lock);
-      if ((token =
+      if ((*credential)->authorization && (token =
               g_hash_table_lookup (priv->basic,
                   (*credential)->authorization))) {
         GST_DEBUG_OBJECT (auth, "setting token %p", token);
-- 
2.24.1

Places

File gst-rtsp-Fix-NULL-pointer.patch of Package gstreamer-rtsp-server

Places