[mythtv-commits] Ticket #7886: Backend crashes when invalid network request received

MythTV mythtv at cvs.mythtv.org
Sat Jan 9 13:34:10 UTC 2010 

#7886: Backend crashes when invalid network request received
-------------------------------------------------+--------------------------
 Reporter:  Ronald Frazier <ron@…>               |       Owner:  ijr       
     Type:  defect                               |      Status:  new       
 Priority:  minor                                |   Milestone:  unknown   
Component:  MythTV - General                     |     Version:  0.22-fixes
 Severity:  medium                               |     Mlocked:  0         
-------------------------------------------------+--------------------------
 I've discovered that mythbackend can be crashed by a network request which
 includes an invalid number of parameters. My example case was using the
 perl bindings and calling new_program with a blank starttime (which itself
 makes a QUERY_RECORDING TIMESLOT request to the backend with a blank
 starttime). However, I've discovered a number of other cases where it can
 happen.

 The source of the bug is in mainserver.cpp. ProcessRequestWork reads a
 "QStringList listline" off of the socket. It then takes the first element
 (listline[0]) and splits it into "QStringList tokens". The listline and
 tokens variables are then sent to various request handlers, some of which
 access array indices without first checking the length (which is how my
 backend crash occurred).

 By the way...when listline[0] is accessed in ProcessRequestWork, it never
 verifies size() != 0 either. I'm not sure if it's possible for
 MythSocket::readStringList to create a zero length stringlist while still
 returning true. If so, this is another problem that needs to be fixed.

 I've tried following through the code, to see which functions access
 without properly checking the array size. For the tokens variable, the
 only problematic function I saw was HandleQueryRecording. I'm attatching a
 patch that fixes that.

 For the listline variable, my patch also fixes two spots in
 ProcessRequestWork that were problems...in the (command == "MESSAGE")
 block and (command == "SHUTDOWN_NOW") block. However, there were a number
 of other cases where the indices weren't verified (and a few that use
 QStringList::at(index), which I couldn't determine if that would segfault
 too) and I wasn't sure of the appropriate way to fix them (should they
 generate an error too, or proceed as if a blank line was sent instead) or
 if they needed fixing at all in the case of the at() call. So here is the
 list of (potential) problems I found that my patch does NOT address:

 ProcessRequestWork, in the (command == "BACKEND_MESSAGE") block

 HandleQueryCheckFile

 HandleSGGetFileList

 HandleSGFileQuery

 HandleGetNextFreeRecorder

 HandleRecorderQuery

 HandleSetChannelInfo

 HandleRemoteEncoder

 HandleGetRecorderFromNum

 HandleFileTransferQuery

 HandleMessage

 HandleFillProgramInfo

 HandleIsActiveBackendQuery

-- 
Ticket URL: <http://svn.mythtv.org/trac/ticket/7886>
MythTV <http://www.mythtv.org/>
MythTV

More information about the mythtv-commits mailing list