morgan/UxPlay
1
0
Fork 0
mirror of https://github.com/morgan9e/UxPlay synced 2026-04-14 00:04:13 +09:00
Code Issues Packages Projects Releases Wiki Activity

http request/response security (suggestions by @0pepsi)

Browse Source 
parse CSec header, to reject invalid values
impose limits on http header sizes (guard against DOS attacks)
set MAX_RESPONSE_SIZE in http_response
This commit is contained in:
F. Duncanh
2026-01-16 23:35:44 -05:00
parent 78472470af
commit 0133170ff7
6 changed files with 93 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
lib/http_request.c
View File

@@ -273,6 +273,30 @@ http_request_get_header(http_request_t *request, const char *name)
return NULL; return NULL;
} }
size_t
http_request_header_get_size(http_request_t *request, int *num_fields, size_t *max_field_len, size_t *max_value_len) {
size_t total = 0;
if (max_field_len) {
*max_field_len = 0;
}
if (max_value_len) {
*max_value_len = 0;
}
if (num_fields) {
*num_fields = request->headers_size / 2;
}
for (int i = 0; i < request->headers_size; i +=2) {
size_t len = strlen(request->headers[i]);
total += len;
if (i % 2 == 0 && max_field_len && len > *max_field_len) {
*max_field_len = len;
} else if (max_value_len && len > *max_value_len) {
*max_value_len = len;
}
}
return total;
}
const char * const char *
http_request_get_data(http_request_t *request, int *datalen) http_request_get_data(http_request_t *request, int *datalen)
{ {

1
lib/http_request.h
View File

@@ -32,6 +32,7 @@ const char *http_request_get_url(http_request_t *request);
const char *http_request_get_protocol(http_request_t *request); const char *http_request_get_protocol(http_request_t *request);
const char *http_request_get_header(http_request_t *request, const char *name); const char *http_request_get_header(http_request_t *request, const char *name);
const char *http_request_get_data(http_request_t *request, int *datalen); const char *http_request_get_data(http_request_t *request, int *datalen);
size_t http_request_header_get_size(http_request_t *request, int *fields, size_t *max_field_len, size_t *max_value_len);
int http_request_get_header_string(http_request_t *request, char **header_str); int http_request_get_header_string(http_request_t *request, char **header_str);
bool http_request_is_reverse(http_request_t *request); bool http_request_is_reverse(http_request_t *request);
void http_request_set_reverse(http_request_t *request); void http_request_set_reverse(http_request_t *request);

28
lib/http_response.c
View File

@@ -25,11 +25,12 @@ struct http_response_s {
int disconnect; int disconnect;
char *data; char *data;
int data_size; int buffer_size;
int data_length; int data_length;
}; };
#define MAX_RESPONSE_SIZE (64 * 1024)
static void static void
http_response_add_data(http_response_t *response, const char *data, int datalen) http_response_add_data(http_response_t *response, const char *data, int datalen)
{ {
@@ -37,13 +38,24 @@ http_response_add_data(http_response_t *response, const char *data, int datalen)
assert(data); assert(data);
assert(datalen > 0); assert(datalen > 0);
int newdatasize = response->data_size; if (response->data_length + datalen > MAX_RESPONSE_SIZE) {
while (response->data_length + datalen > newdatasize) { fprintf(stderr, "ERROR: http_response_add_data: cannot add data as MAX_RESPONSE_SIZE = %d would be exceeded\n",
newdatasize *= 2; (int) MAX_RESPONSE_SIZE);
return;
} }
if (newdatasize != response->data_size) {
response->data = realloc(response->data, newdatasize); size_t newbufsize = response->buffer_size;
while (response->data_length + datalen > newbufsize) {
newbufsize *= 2;
if (newbufsize > MAX_RESPONSE_SIZE) {
newbufsize = MAX_RESPONSE_SIZE;
break;
}
}
if (newbufsize != response->buffer_size) {
response->data = realloc(response->data, newbufsize);
assert(response->data); assert(response->data);
response->buffer_size = newbufsize;
} }
memcpy(response->data+response->data_length, data, datalen); memcpy(response->data+response->data_length, data, datalen);
response->data_length += datalen; response->data_length += datalen;
@@ -58,8 +70,8 @@ http_response_create()
return NULL; return NULL;
} }
/* Allocate response data */ /* Allocate response data */
response->data_size = 1024; response->buffer_size = 1024;
response->data = (char *) malloc(response->data_size); response->data = (char *) malloc(response->buffer_size);
if (!response->data) { if (!response->data) {
free(response); free(response);
return NULL; return NULL;

33
lib/raop.c
View File

@@ -219,8 +219,37 @@ conn_request(void *ptr, http_request_t *request, http_response_t **response) {
return; return;
} }
/* ¨idenitfy if request is a response to a BLE beaconn */ #define MAX_HDR_FIELDS 20
const char *cseq = http_request_get_header(request, "CSeq"); #define MAX_HDR_FIELD_LEN 64
#define MAX_HDR_VALUE_LEN 1024
/*impose limits on header sizes to defend against DOS attacks */
size_t max_field_len, max_value_len;
int num_fields;
http_request_header_get_size(request, &num_fields, &max_field_len, &max_value_len);
if (num_fields > MAX_HDR_FIELDS || max_field_len > MAX_HDR_FIELD_LEN || max_value_len > MAX_HDR_VALUE_LEN) {
logger_log(raop->logger, LOGGER_ERR, "rejecting request with overlong headers: %d fields,"
"max field_name length %d, max field value length %d",
num_fields, (int) max_field_len, (int) max_value_len);
*response = http_response_create();
http_response_init(*response, protocol, 431, "Request Header Fields Too Large");
return;
}
/* handle CSeq header carefully, as it will be included in response: value should be non-negative int */
char *cseq = NULL;
char cseq_buf[11] = {0};
const char *cseq_req = http_request_get_header(request, "CSeq");
if (cseq_req) {
int cseq_val = parse_int(cseq_req);
if (cseq_val < 0) {
logger_log(raop->logger, LOGGER_ERR, "rejecting request with invalid CSeq value %s", cseq_req);
return; //CSeq header field had invalid value
}
snprintf(cseq_buf, sizeof(cseq_buf), "%u", (unsigned int) cseq_val);
cseq = cseq_buf;
}
/* ¨identify if request is a response to a BLE beacon */
bool ble = false; bool ble = false;
if (!strcmp(protocol,"RTSP/1.0") && !cseq && (strstr(url, "txtAirPlay") || strstr(url, "txtRAOP") )) { if (!strcmp(protocol,"RTSP/1.0") && !cseq && (strstr(url, "txtAirPlay") || strstr(url, "txtRAOP") )) {
logger_log(raop->logger, LOGGER_INFO, "response to Bluetooth LE beacon advertisement received)"); logger_log(raop->logger, LOGGER_INFO, "response to Bluetooth LE beacon advertisement received)");

16
lib/utils.c
View File

@@ -21,6 +21,8 @@
#include <assert.h> #include <assert.h>
#include <time.h> #include <time.h>
#include <stdint.h> #include <stdint.h>
#include <limits.h>
#define SECOND_IN_NSECS 1000000000UL #define SECOND_IN_NSECS 1000000000UL
char * char *
@@ -344,3 +346,17 @@ const char *gmt_time_string() {
return ""; return "";
} }
} }
int parse_int(const char * str) {
/* verify that a string represents a non-negative int, and return it, or return -1 */
char *end_ptr;
assert(str);
long val = strtol(str, &end_ptr, 10);
if ((val == 0 && end_ptr == str) || *end_ptr != '\0') {
return -1;
}
if (val < 0 || val > INT_MAX) {
return -1;
}
return (int) val;
}

1
lib/utils.h
View File

@@ -34,4 +34,5 @@ const char *gmt_time_string();
int utils_ipaddress_to_string(int addresslen, const unsigned char *address, int utils_ipaddress_to_string(int addresslen, const unsigned char *address,
unsigned int zone_id, char *string, int len); unsigned int zone_id, char *string, int len);
char *utils_strip_data_from_plist_xml(char * plist_xml); char *utils_strip_data_from_plist_xml(char * plist_xml);
int parse_int(const char * str);
#endif #endif