From ccc8d0c4388056acc801fd855e065eb2b0ca6578 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= Date: Mon, 23 Mar 2020 16:06:43 +0200 Subject: [PATCH 3/3] rtsp-auth: Fix NULL pointer dereference when handling an invalid basic Authorization header When using the basic authentication scheme, we wouldn't validate that the authorization field of the credentials is not NULL and pass it on to g_hash_table_lookup(). g_str_hash() however is not NULL-safe and will dereference the NULL pointer and crash. A specially crafted (read: invalid) RTSP header can cause this to happen. As a solution, check for the authorization to be not NULL before continuing processing it and if it is simply fail authentication. This fixes CVE-2020-6095 and TALOS-2020-1018. Discovered by Peter Wang of Cisco ASIG. --- gst/rtsp-server/rtsp-auth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gst/rtsp-server/rtsp-auth.c b/gst/rtsp-server/rtsp-auth.c index f14286f..c15fa18 100644 --- a/gst/rtsp-server/rtsp-auth.c +++ b/gst/rtsp-server/rtsp-auth.c @@ -871,7 +871,7 @@ default_authenticate (GstRTSPAuth * auth, GstRTSPContext * ctx) GST_DEBUG_OBJECT (auth, "check Basic auth"); g_mutex_lock (&priv->lock); - if ((token = + if ((*credential)->authorization && (token = g_hash_table_lookup (priv->basic, (*credential)->authorization))) { GST_DEBUG_OBJECT (auth, "setting token %p", token); -- 2.20.1