daap (itunes music sharing)
Aaron J. Seigo
aseigo at kde.org
Wed Mar 9 21:34:28 GMT 2005
On Monday 28 February 2005 06:19, Benjamin Meyer wrote:
> This evening I added to kdeplayground-multimedia a daap directory. :)
cool stuff... someone on irc asked for some help with it because Task was
polluting the namespace... find a patch here:
http://aseigo.bddf.ca/dms/11/147_libdaapclient.diff
which fixes this.
i'm a bit concerned that this requires subclassing to use.. that's always a
bit lame when we have signals/slots around... the switch to making the
protected virtual methods signals instead was trivial. there are probably
some style issues, like:
newTrackData( &file, track );
why pass a pointer around instead of a reference? those are details though...
what i'm really concerned about is that this library talks to other machines
on the network, but then has code like this (slightly reformatted for email):
=======
char songUrl_45[] = "daap://%s/databases/%i/items/%i.%s?session-id=%i";
char requestid_45[] = "Client-DAAP-Request-ID: %u\r\n";
GetFile *pGetFile = malloc(sizeof(GetFile) + (sizeof(songUrl_45) + 11 + 11
+ 11 + 11) + (sizeof(requestid_45) + 11));
*snip .... *
sprintf(pGetFile->url, songUrl_45, pCHThis->host, databaseid, songid,
songformat, pCHThis->sessionid);
=======
there are so many things wrong this... pCHThis->host is a char* but 11 bytes
are magically added for it.. hopefully this never gets set to anything larger
than 13 bytes (11 + the %s it replaces)... the author also forgot to add 4
bytes for the last %i (though he caught that elsewhere)...
this just jibba jabba is just begging for an exploit.
it should obviously be using null safe calls to strlen and using sizeof(int),
etc... this doesn't fill me with confidence for this library. it's not a
trivial library, with it's use of multiple threads, networking, and C
primitives like char* to store data. if my brief glance into it to see how
things worked turned up problems like the above ......
i wouldn't feel comfortable with this being in KDE's CVS without a good
security audit done on it first.
--
Aaron J. Seigo
GPG Fingerprint: 8B8B 2209 0C6F 7C47 B1EA EE75 D6B7 2EB1 A7F1 DB43
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://mail.kde.org/pipermail/kde-multimedia/attachments/20050309/ab8c451e/attachment.sig>
-------------- next part --------------
_______________________________________________
kde-multimedia mailing list
kde-multimedia at kde.org
https://mail.kde.org/mailman/listinfo/kde-multimedia
More information about the kde-multimedia
mailing list