Vulnerable Systems:
* LIVE555 Media Server version 2007.11.01 and prior
Immune Systems:
* LIVE555 Media Server version 2007.11.18
The function which handles the incoming queries from the clients is affected by a vulnerability which can allow an attacker to crash the server remotely using the smallest RTSP query possible to use.
This problem is caused by the absence of an instruction for checking if the amount of client's data (reqStrSize) is longer or equal than 8 bytes because the function makes use of unsigned numbers, so "7 - 8" is not -1 but 4294967295, resulting in a crash caused by the reaching of the end of the allocated memory.
From liveMedia/RTSPCommon: Boolean parseRTSPRequestString(char const* reqStr,
unsigned reqStrSize,
...
unsigned i;
for (i = 0; i < resultCmdNameMaxSize-1 && i < reqStrSize; ++i) {
...
// Skip over the prefix of any "rtsp://" or "rtsp:/" URL that follows:
unsigned j = i+1;
while (j < reqStrSize && (reqStr[j] == ' ' || reqStr[j] == '\t')) ++j;
for (j = i+1; j < reqStrSize-8; ++j) {
...
