#23 buffer overflow

[Donovan Jasper]

Searching through the LibMMS library, the mms.c file contains the following code at line 775:

sprintf(this->str, "NSPlayer/7.0.0.1956; {%s}; Host: %s", this->guid, this->connect_host);

If we look at where this->str is declared we will see that it is declared as follows:

char str[1024]; / scratch buffer to built strings /

So this->str is assigned a value using sprintf.

If we look around a bit, we can determine that we have control over the value that is stored in this->guid that influences the value sprintf assigns to this->str.

Following a chain, we see that the url input to the mms_connect function:

mms_t mms_connect (mms_io_t io, void data, const char url, int bandwidth)

Is duplicated into ​​this->url:

this->url= strdup (url);

this->url is then used as a variable for gnet_uri_new:

this->guri = gnet_uri_new(this->url);

Which after reformatting the url, returns a value “guri.”

By giving a large input for url, we should be able to overflow the allotted 1024 bytes. If we overflow by a lot, the program will likely crash because important information has been overwritten.

[Donovan Jasper]

I should add that I notified Søren today! (Jan 24, 2023) Thanks Søren!