Summary
I found a reproducible buffer overflow in AirConnect's config XML parsing code.
A crafted config XML file with an oversized <codec> value causes an unbounded strcpy() into fixed-size config fields in both airupnp and aircast.
Affected locations:
airupnp/src/config_upnp.c:126
aircast/src/config_cast.c:123
Affected versions tested
I confirmed the issue on both current master and the latest tagged release:
master:
commit: 62ef6d2665f97c0009e4b398d4a44d5611443640
latest tag/release 1.9.3:
commit: 3710198b90e653a39ca70c6863bab4f82ff6931b
Observed result
With a crafted config XML file, both airupnp and aircast abort during config parsing.
Plain hardened builds abort with:
*** buffer overflow detected ***
exit code: 134
ASan builds report a global-buffer-overflow write through strcpy().
The issue reproduces in both components:
airupnp:
LoadConfigItem()
strcpy()
airupnp/src/config_upnp.c:126
aircast:
LoadConfigItem()
strcpy()
aircast/src/config_cast.c:123
Expected result
Oversized XML config values should be rejected or safely truncated without overflowing fixed-size destination buffers.
Impact
This is best described as a crafted local configuration file issue.
A malformed config XML file can cause memory corruption and process abort during startup/config parsing. I have not confirmed remote unauthenticated reachability.
Suggested fix
Replace the unbounded strcpy() calls with bounded copies, or validate the <codec> value length before copying it into fixed-size fields.
For example, the parser should reject values that exceed the destination buffer size and return a configuration error instead of continuing.
Reproducer package
I attached a minimal reproduction package without binaries:
AirConnect-maintainer-repro-public-minimal.zip
SHA-256: 59958864738061BC34FAF431B2A66B952ED4C14A7E5B09AA3D57EFBF25A69434
The package contains:
README.md
SHA256SUMS.txt
PoC config XML files
plain build reproduction logs
ASan reproduction logs
reproduction scripts
I also have a fuller maintainer package with convenience binaries if needed.
AirConnect-maintainer-repro-public-minimal.zip
Summary
I found a reproducible buffer overflow in AirConnect's config XML parsing code.
A crafted config XML file with an oversized
<codec>value causes an unboundedstrcpy()into fixed-size config fields in bothairupnpandaircast.Affected locations:
Affected versions tested
I confirmed the issue on both current master and the latest tagged release:
Observed result
With a crafted config XML file, both
airupnpandaircastabort during config parsing.Plain hardened builds abort with:
ASan builds report a global-buffer-overflow write through
strcpy().The issue reproduces in both components:
Expected result
Oversized XML config values should be rejected or safely truncated without overflowing fixed-size destination buffers.
Impact
This is best described as a crafted local configuration file issue.
A malformed config XML file can cause memory corruption and process abort during startup/config parsing. I have not confirmed remote unauthenticated reachability.
Suggested fix
Replace the unbounded
strcpy()calls with bounded copies, or validate the<codec>value length before copying it into fixed-size fields.For example, the parser should reject values that exceed the destination buffer size and return a configuration error instead of continuing.
Reproducer package
I attached a minimal reproduction package without binaries:
The package contains:
I also have a fuller maintainer package with convenience binaries if needed.
AirConnect-maintainer-repro-public-minimal.zip