rtsp: deal with borked server responses

author Stefan Eissing <stefan@eissing.org>

Mon, 15 Jan 2024 10:33:13 +0000 (11:33 +0100)

committer Daniel Stenberg <daniel@haxx.se>

Mon, 15 Jan 2024 13:13:58 +0000 (14:13 +0100)
author Stefan Eissing <stefan@eissing.org>
Mon, 15 Jan 2024 10:33:13 +0000 (11:33 +0100)
committer Daniel Stenberg <daniel@haxx.se>
Mon, 15 Jan 2024 13:13:58 +0000 (14:13 +0100)
diff --git a/lib/rtsp.c b/lib/rtsp.c

index c911bb6b22a4a454da8214764838434a40acce8f..dba8ae7a67bfef40458294db3fe506340aa06cf1 100644 (file)
--- a/lib/rtsp.c
+++ b/lib/rtsp.c
@@ -822,11 +822,10 @@ static CURLcode rtsp_rtp_write_resp(struct Curl_easy *data,
  
      if(!rtspc->in_header) {
        /* If header parsing is done, extract interleaved RTP messages */
-      if((data->set.rtspreq == RTSPREQ_DESCRIBE) && (data->req.size <= -1)) {
+      if(data->req.size <= -1) {
          /* Respect section 4.4 of rfc2326: If the Content-Length header is
-           absent, a length 0 must be assumed.  It will prevent libcurl from
-           hanging on DESCRIBE request that got refused for whatever
-           reason */
+           absent, a length 0 must be assumed. */
+        data->req.size = 0;
          data->req.download_done = TRUE;
        }
        result = rtsp_filter_rtp(data, buf, blen, &consumed);
@@ -838,13 +837,16 @@ static CURLcode rtsp_rtp_write_resp(struct Curl_easy *data,
  
    if(rtspc->state != RTP_PARSE_SKIP)
      *done = FALSE;
-  /* we MUST have consumed all bytes */
-  DEBUGF(infof(data, "rtsp_rtp_write_resp(len=%zu, in_header=%d, done=%d)",
-               blen, rtspc->in_header, *done));
-  DEBUGASSERT(blen == 0);
-  if(!result && is_eos) {
-    result = Curl_client_write(data, CLIENTWRITE_BODY|CLIENTWRITE_EOS,
-                               (char *)buf, 0);
+  /* we SHOULD have consumed all bytes, unless the response is borked.
+   * In which case we write out the left over bytes, letting the client
+   * writer deal with it (it will report EXCESS and fail the transfer). */
+  DEBUGF(infof(data, "rtsp_rtp_write_resp(len=%zu, in_header=%d, done=%d "
+               " rtspc->state=%d, req.size=%" CURL_FORMAT_CURL_OFF_T ")",
+               blen, rtspc->in_header, *done, rtspc->state, data->req.size));
+  if(!result && (is_eos || blen)) {
+    result = Curl_client_write(data, CLIENTWRITE_BODY|
+                               (is_eos? CLIENTWRITE_EOS:0),
+                               (char *)buf, blen);
    }
  
  out:
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc

index 5008b86e011991c5ae335492f27e93d268941804..ab66fc4cc4c872ef9c2b8c10a451ad8eb02e14c0 100644 (file)
--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
@@ -96,7 +96,7 @@ test644 test645 test646 test647 test648 test649 test650 test651 test652 \
  test653 test654 test655 test656 test658 test659 test660 test661 test662 \
  test663 test664 test665 test666 test667 test668 test669 test670 test671 \
  test672 test673 test674 test675 test676 test677 test678 test679 test680 \
-test681 test682 test683 test684 test685 test686 test687 test688 \
+test681 test682 test683 test684 test685 test686 test687 test688 test689 \
  \
  test700 test701 test702 test703 test704 test705 test706 test707 test708 \
  test709 test710 test711 test712 test713 test714 test715 test716 test717 \
diff --git a/tests/data/test689 b/tests/data/test689

new file mode 100644 (file)

index 0000000..821556d
--- /dev/null
+++ b/tests/data/test689
@@ -0,0 +1,53 @@
+<testcase>
+
+#Informational
+<info>
+<keywords>
+RTSP
+OPTIONS
+</keywords>
+</info>
+
+# Server-side
+<reply>
+<data>
+RTSP/7.1 786          
+
+RTSP/          
+</data>
+<datacheck>
+</datacheck>
+</reply>
+
+# Client-Side
+<client>
+<server>
+rtsp
+</server>
+<tool>
+lib567
+</tool>
+
+<name>
+fuzzing crash issue #12701
+</name>
+<command>
+rtsp://%HOSTIP:%RTSPPORT/%TESTNUMBER
+</command>
+</client>
+
+<verify>
+<protocol>
+OPTIONS rtsp://%HOSTIP:%RTSPPORT/%TESTNUMBER RTSP/1.0\r
+CSeq: 1\r
+User-Agent: test567\r
+Test-Number: 567\r
+\r
+</protocol>
+# 8 == CURLE_WEIRD_SERVER_REPLY
+<errorcode>
+8
+</errorcode>
+</verify>
+
+</testcase>
diff --git a/tests/libtest/lib567.c b/tests/libtest/lib567.c

index 00937e71d672e2c7cf4c92f6b261aab99551bae7..a912b1663acd11d8b762e92bf6a864b344b90b75 100644 (file)
--- a/tests/libtest/lib567.c
+++ b/tests/libtest/lib567.c
@@ -49,6 +49,7 @@ int test(char *URL)
    /* Dump data to stdout for protocol verification */
    test_setopt(curl, CURLOPT_HEADERDATA, stdout);
    test_setopt(curl, CURLOPT_WRITEDATA, stdout);
+  test_setopt(curl, CURLOPT_VERBOSE, 1L);
  
    test_setopt(curl, CURLOPT_URL, URL);
    test_setopt(curl, CURLOPT_RTSP_STREAM_URI, URL);
author	Stefan Eissing <stefan@eissing.org>
	Mon, 15 Jan 2024 10:33:13 +0000 (11:33 +0100)
committer	Daniel Stenberg <daniel@haxx.se>
	Mon, 15 Jan 2024 13:13:58 +0000 (14:13 +0100)
lib/rtsp.c		patch \| blob \| blame \| history
tests/data/Makefile.inc		patch \| blob \| blame \| history
tests/data/test689	[new file with mode: 0644]	patch \| blob
tests/libtest/lib567.c		patch \| blob \| blame \| history