[Midnightbsd-cvs] [MidnightBSD/src] 649502: libalias: Fix buffer overflow in the RTSP handler

Lucas Holt noreply at github.com
Tue Jun 30 23:00:48 EDT 2026


  Branch: refs/heads/stable/4.1
  Home:   https://github.com/MidnightBSD/src
  Commit: 649502467ca1500fe5fa8bfe42af8098553e4704
      https://github.com/MidnightBSD/src/commit/649502467ca1500fe5fa8bfe42af8098553e4704
  Author: Lucas Holt <luke at foolishgames.com>
  Date:   2026-06-30 (Tue, 30 Jun 2026)

  Changed paths:
    M sys/netinet/libalias/alias_smedia.c

  Log Message:
  -----------
  libalias: Fix buffer overflow in the RTSP handler

The RTSP handler in libalias (alias_smedia.c) rewrote outgoing packets
into a fixed-length 2048-byte stack buffer (plus an 80-byte stemp
buffer) without checking whether the rewritten data fit in the buffer or
back in the original packet.

A host sending crafted RTSP traffic from inside a NAT gateway using
libalias can overflow the stack buffer, potentially achieving remote
code execution in the kernel (ipfw(4) NAT via alias_smedia.ko) or in the
natd(8) process (which typically runs as root, via libalias_smedia.so).
The code runs on outbound-NAT TCP/UDP packets when a source or
destination port is 554 or 7070.

Replace the fixed stack buffers with a heap allocation sized to the
packet's maximum length, add bounds checks throughout, use snprintf()
instead of sprintf(), and bounds-check search_string().

Ported from the FreeBSD fix for SA-26:41.libalias (FreeBSD commit
4c0f47666666), by Mark Johnston.

Security:	FreeBSD-SA-26:41.libalias
Security:	CVE-2026-49420
Obtained from:	FreeBSD

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply at anthropic.com>


  Commit: 91eb56ba6c01d3cdddffaf4b5e51003bb5deb8f0
      https://github.com/MidnightBSD/src/commit/91eb56ba6c01d3cdddffaf4b5e51003bb5deb8f0
  Author: Lucas Holt <luke at foolishgames.com>
  Date:   2026-06-30 (Tue, 30 Jun 2026)

  Changed paths:
    M UPDATING

  Log Message:
  -----------
  UPDATING: Note SA-26:41.libalias fix

Security:	FreeBSD-SA-26:41.libalias
Security:	CVE-2026-49420

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply at anthropic.com>


Compare: https://github.com/MidnightBSD/src/compare/d0ce2eea4861...91eb56ba6c01

To unsubscribe from these emails, change your notification settings at https://github.com/MidnightBSD/src/settings/notifications


More information about the Midnightbsd-cvs mailing list