Fixed Issue #147: Segfaults on ShairPort version 0.05 C port

When requesting resend of packets a lot, iOS sometimes sends a packet with type 0x56 (Reply to resend request), but with sequence number 0 and length == 4. This short length leads to memory corruption later on when processing the packet: alac_decode() expects at least 16 bytes for AES IV. Therefore the segfault. This fix ignores packets with length < 16, as seen in another implementation here: http://fossies.org/dox/mythtv-0.25.1/mythraopconnection_8cpp_source.html#l00555 Please be aware that this just fixes the segfault. The suspicious packet seems to be an information of an out of sync situation, so it may deserve further attention. Signed-off-by: Gregor Fabritius <gre@g0r.de>
knocte · Jul 15, 2012 · c4ec84d · c4ec84d
1 parent f1fd87f
commit c4ec84d
Showing 1 changed file with 10 additions and 1 deletion.
diff --git a/hairtunes.c b/hairtunes.c
@@ -445,7 +445,16 @@ static void *rtp_thread_func(void *arg) {
                 plen -= 4;
             }
             seqno = ntohs(*(unsigned short *)(pktp+2));
-            buffer_put_packet(seqno, pktp+12, plen-12);
+
+            // adjust pointer and length
+            pktp += 12;
+            plen -= 12;
+
+            // check if packet contains enough content to be reasonable
+            if (plen < 16)
+                continue;
+
+            buffer_put_packet(seqno, pktp, plen);
         }
     }