Commit 859d6f63 authored by Filip Roséen's avatar Filip Roséen Committed by Jean-Baptiste Kempf

realrtsp: fixed crash on unsuccessful DESCRIBE-response that includes `Alert`

If the remote server yields an error on the `DESCRIBE` request, while
also including an error message the module would crash due to an invalid
free.

% netcat -l -p 8080 <<EOF
> RTSP/1.0 200 OK
> CSeq: 1
> Server: Real
> RealChallenge1: DEADBEEF
>
> RTSP/1.0 199 OK
> CSeq: 2
> Alert: I like turtles
>
EOF

The reason being that `alert` will point to the middle of allocated
memory. Given the sourroundings the original author probably forgot to
`strdup` the message - even though that is very unnecessary.
Signed-off-by: Jean-Baptiste Kempf's avatarJean-Baptiste Kempf <jb@videolan.org>
parent af2281d5
......@@ -649,13 +649,11 @@ rmff_header_t *real_setup_and_get_header(rtsp_client_t *rtsp_session, int bandw
status=rtsp_request_describe(rtsp_session,NULL);
if ( status<200 || status>299 ) {
msg_Dbg (p_access, "server returned status code %d", status);
char *alert=rtsp_search_answers(rtsp_session,"Alert");
if (alert) {
msg_Dbg(p_access, "server replied with a message: %s", alert);
if ((p_data = rtsp_search_answers(rtsp_session, "Alert"))) {
msg_Dbg(p_access, "server replied with a message: '%s'", p_data);
}
rtsp_send_ok( rtsp_session );
free( challenge1 );
free( alert );
free( buf );
return NULL;
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment