1*5c7a97aaSMark Johnston /*
2*5c7a97aaSMark Johnston * Copyright (c) 2026 The FreeBSD Foundation
3*5c7a97aaSMark Johnston *
4*5c7a97aaSMark Johnston * This software was developed by Mark Johnston under sponsorship from
5*5c7a97aaSMark Johnston * the FreeBSD Foundation.
6*5c7a97aaSMark Johnston *
7*5c7a97aaSMark Johnston * SPDX-License-Identifier: BSD-2-Clause
8*5c7a97aaSMark Johnston */
9*5c7a97aaSMark Johnston
10*5c7a97aaSMark Johnston /*
11*5c7a97aaSMark Johnston * A minimal regression test for a buffer overflow in alias_rtsp_out().
12*5c7a97aaSMark Johnston */
13*5c7a97aaSMark Johnston
14*5c7a97aaSMark Johnston #include <sys/types.h>
15*5c7a97aaSMark Johnston #include <sys/sbuf.h>
16*5c7a97aaSMark Johnston
17*5c7a97aaSMark Johnston #include <arpa/inet.h>
18*5c7a97aaSMark Johnston #include <netinet/in.h>
19*5c7a97aaSMark Johnston #include <netinet/ip.h>
20*5c7a97aaSMark Johnston #include <netinet/tcp_var.h>
21*5c7a97aaSMark Johnston
22*5c7a97aaSMark Johnston #include <stdlib.h>
23*5c7a97aaSMark Johnston #include <string.h>
24*5c7a97aaSMark Johnston
25*5c7a97aaSMark Johnston #include <alias.h>
26*5c7a97aaSMark Johnston
27*5c7a97aaSMark Johnston int
main(void)28*5c7a97aaSMark Johnston main(void)
29*5c7a97aaSMark Johnston {
30*5c7a97aaSMark Johnston uint8_t *packet;
31*5c7a97aaSMark Johnston struct ip ip;
32*5c7a97aaSMark Johnston struct tcphdr tcp;
33*5c7a97aaSMark Johnston struct sbuf sb;
34*5c7a97aaSMark Johnston struct libalias *la;
35*5c7a97aaSMark Johnston
36*5c7a97aaSMark Johnston sbuf_new(&sb, NULL, 0, SBUF_AUTOEXTEND);
37*5c7a97aaSMark Johnston sbuf_printf(&sb, "SETUP rtsp://example.com/media.mp4 RTSP/1.0\r\n");
38*5c7a97aaSMark Johnston sbuf_printf(&sb, "CSeq: 1\r\n");
39*5c7a97aaSMark Johnston sbuf_printf(&sb, "Transport: RTP/AVP;unicast;");
40*5c7a97aaSMark Johnston for (int i = 0; i < 200; i++)
41*5c7a97aaSMark Johnston sbuf_printf(&sb, "client_port=%d-%d;", 2 * i, 2 * i + 1);
42*5c7a97aaSMark Johnston sbuf_printf(&sb, "\r\n\r\n");
43*5c7a97aaSMark Johnston sbuf_finish(&sb);
44*5c7a97aaSMark Johnston
45*5c7a97aaSMark Johnston memset(&tcp, 0, sizeof(tcp));
46*5c7a97aaSMark Johnston tcp.th_sport = htons(1234);
47*5c7a97aaSMark Johnston tcp.th_dport = htons(554);
48*5c7a97aaSMark Johnston tcp.th_off = 5;
49*5c7a97aaSMark Johnston
50*5c7a97aaSMark Johnston memset(&ip, 0, sizeof(ip));
51*5c7a97aaSMark Johnston ip.ip_v = IPVERSION;
52*5c7a97aaSMark Johnston ip.ip_hl = sizeof(ip) / 4;
53*5c7a97aaSMark Johnston ip.ip_len = htons(sizeof(ip) + sizeof(tcp) + sbuf_len(&sb));
54*5c7a97aaSMark Johnston ip.ip_id = htons(1);
55*5c7a97aaSMark Johnston ip.ip_ttl = 64;
56*5c7a97aaSMark Johnston ip.ip_p = IPPROTO_TCP;
57*5c7a97aaSMark Johnston ip.ip_src.s_addr = inet_addr("127.0.0.1");
58*5c7a97aaSMark Johnston ip.ip_dst.s_addr = inet_addr("127.0.0.2");
59*5c7a97aaSMark Johnston
60*5c7a97aaSMark Johnston packet = malloc(sizeof(ip) + sizeof(tcp) + sbuf_len(&sb));
61*5c7a97aaSMark Johnston memcpy(packet, &ip, sizeof(ip));
62*5c7a97aaSMark Johnston memcpy(packet + sizeof(ip), &tcp, sizeof(tcp));
63*5c7a97aaSMark Johnston memcpy(packet + sizeof(ip) + sizeof(tcp), sbuf_data(&sb),
64*5c7a97aaSMark Johnston sbuf_len(&sb));
65*5c7a97aaSMark Johnston
66*5c7a97aaSMark Johnston la = LibAliasInit(NULL);
67*5c7a97aaSMark Johnston LibAliasSetAddress(la,
68*5c7a97aaSMark Johnston (struct in_addr){.s_addr = inet_addr("127.0.0.1")});
69*5c7a97aaSMark Johnston if (LibAliasOut(la, packet, sizeof(ip) + sizeof(tcp) + sbuf_len(&sb)) !=
70*5c7a97aaSMark Johnston PKT_ALIAS_OK)
71*5c7a97aaSMark Johnston return (1);
72*5c7a97aaSMark Johnston LibAliasUninit(la);
73*5c7a97aaSMark Johnston return (0);
74*5c7a97aaSMark Johnston }
75