xref: /freebsd/tests/sys/netinet/libalias/smedia.c (revision 5c7a97aaf1ca4b8bc078bc18f73e04499d48598f)
1*5c7a97aaSMark Johnston /*
2*5c7a97aaSMark Johnston  * Copyright (c) 2026 The FreeBSD Foundation
3*5c7a97aaSMark Johnston  *
4*5c7a97aaSMark Johnston  * This software was developed by Mark Johnston under sponsorship from
5*5c7a97aaSMark Johnston  * the FreeBSD Foundation.
6*5c7a97aaSMark Johnston  *
7*5c7a97aaSMark Johnston  * SPDX-License-Identifier: BSD-2-Clause
8*5c7a97aaSMark Johnston  */
9*5c7a97aaSMark Johnston 
10*5c7a97aaSMark Johnston /*
11*5c7a97aaSMark Johnston  * A minimal regression test for a buffer overflow in alias_rtsp_out().
12*5c7a97aaSMark Johnston  */
13*5c7a97aaSMark Johnston 
14*5c7a97aaSMark Johnston #include <sys/types.h>
15*5c7a97aaSMark Johnston #include <sys/sbuf.h>
16*5c7a97aaSMark Johnston 
17*5c7a97aaSMark Johnston #include <arpa/inet.h>
18*5c7a97aaSMark Johnston #include <netinet/in.h>
19*5c7a97aaSMark Johnston #include <netinet/ip.h>
20*5c7a97aaSMark Johnston #include <netinet/tcp_var.h>
21*5c7a97aaSMark Johnston 
22*5c7a97aaSMark Johnston #include <stdlib.h>
23*5c7a97aaSMark Johnston #include <string.h>
24*5c7a97aaSMark Johnston 
25*5c7a97aaSMark Johnston #include <alias.h>
26*5c7a97aaSMark Johnston 
27*5c7a97aaSMark Johnston int
main(void)28*5c7a97aaSMark Johnston main(void)
29*5c7a97aaSMark Johnston {
30*5c7a97aaSMark Johnston 	uint8_t *packet;
31*5c7a97aaSMark Johnston 	struct ip ip;
32*5c7a97aaSMark Johnston 	struct tcphdr tcp;
33*5c7a97aaSMark Johnston 	struct sbuf sb;
34*5c7a97aaSMark Johnston 	struct libalias *la;
35*5c7a97aaSMark Johnston 
36*5c7a97aaSMark Johnston 	sbuf_new(&sb, NULL, 0, SBUF_AUTOEXTEND);
37*5c7a97aaSMark Johnston 	sbuf_printf(&sb, "SETUP rtsp://example.com/media.mp4 RTSP/1.0\r\n");
38*5c7a97aaSMark Johnston 	sbuf_printf(&sb, "CSeq: 1\r\n");
39*5c7a97aaSMark Johnston 	sbuf_printf(&sb, "Transport: RTP/AVP;unicast;");
40*5c7a97aaSMark Johnston 	for (int i = 0; i < 200; i++)
41*5c7a97aaSMark Johnston 		sbuf_printf(&sb, "client_port=%d-%d;", 2 * i, 2 * i + 1);
42*5c7a97aaSMark Johnston 	sbuf_printf(&sb, "\r\n\r\n");
43*5c7a97aaSMark Johnston 	sbuf_finish(&sb);
44*5c7a97aaSMark Johnston 
45*5c7a97aaSMark Johnston 	memset(&tcp, 0, sizeof(tcp));
46*5c7a97aaSMark Johnston 	tcp.th_sport = htons(1234);
47*5c7a97aaSMark Johnston 	tcp.th_dport = htons(554);
48*5c7a97aaSMark Johnston 	tcp.th_off = 5;
49*5c7a97aaSMark Johnston 
50*5c7a97aaSMark Johnston 	memset(&ip, 0, sizeof(ip));
51*5c7a97aaSMark Johnston 	ip.ip_v = IPVERSION;
52*5c7a97aaSMark Johnston 	ip.ip_hl = sizeof(ip) / 4;
53*5c7a97aaSMark Johnston 	ip.ip_len = htons(sizeof(ip) + sizeof(tcp) + sbuf_len(&sb));
54*5c7a97aaSMark Johnston 	ip.ip_id = htons(1);
55*5c7a97aaSMark Johnston 	ip.ip_ttl = 64;
56*5c7a97aaSMark Johnston 	ip.ip_p = IPPROTO_TCP;
57*5c7a97aaSMark Johnston 	ip.ip_src.s_addr = inet_addr("127.0.0.1");
58*5c7a97aaSMark Johnston 	ip.ip_dst.s_addr = inet_addr("127.0.0.2");
59*5c7a97aaSMark Johnston 
60*5c7a97aaSMark Johnston 	packet = malloc(sizeof(ip) + sizeof(tcp) + sbuf_len(&sb));
61*5c7a97aaSMark Johnston 	memcpy(packet, &ip, sizeof(ip));
62*5c7a97aaSMark Johnston 	memcpy(packet + sizeof(ip), &tcp, sizeof(tcp));
63*5c7a97aaSMark Johnston 	memcpy(packet + sizeof(ip) + sizeof(tcp), sbuf_data(&sb),
64*5c7a97aaSMark Johnston 	    sbuf_len(&sb));
65*5c7a97aaSMark Johnston 
66*5c7a97aaSMark Johnston 	la = LibAliasInit(NULL);
67*5c7a97aaSMark Johnston 	LibAliasSetAddress(la,
68*5c7a97aaSMark Johnston 	    (struct in_addr){.s_addr = inet_addr("127.0.0.1")});
69*5c7a97aaSMark Johnston 	if (LibAliasOut(la, packet, sizeof(ip) + sizeof(tcp) + sbuf_len(&sb)) !=
70*5c7a97aaSMark Johnston 	    PKT_ALIAS_OK)
71*5c7a97aaSMark Johnston 		return (1);
72*5c7a97aaSMark Johnston 	LibAliasUninit(la);
73*5c7a97aaSMark Johnston 	return (0);
74*5c7a97aaSMark Johnston }
75