[vlc-commits] commit: Thread-safe random numbers for session IDs ( Rémi Denis-Courmont )

[git at videolan.org]

vlc | branch: master | Rémi Denis-Courmont <remi at remlab.net> | Sat Mar  6 12:21:02 2010 +0200| [ac8243334cd14ffcf8f407cb5fbee89d4790d389] | committer: Rémi Denis-Courmont 

Thread-safe random numbers for session IDs

> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=ac8243334cd14ffcf8f407cb5fbee89d4790d389
---

 modules/misc/rtsp.c       |    7 +++++--
 modules/stream_out/rtsp.c |    4 ++--
 src/network/httpd.c       |    4 +++-
 3 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/modules/misc/rtsp.c b/modules/misc/rtsp.c
index d88522e..7f4ae09 100644
--- a/modules/misc/rtsp.c
+++ b/modules/misc/rtsp.c
@@ -42,6 +42,7 @@
 #include <vlc_network.h>
 #include <vlc_charset.h>
 #include <vlc_strings.h>
+#include <vlc_rand.h>
 
 #ifndef WIN32
 # include <locale.h>
@@ -1019,7 +1020,8 @@ static int RtspCallback( httpd_callback_sys_t *p_args, httpd_client_t *cl,
                         answer->p_body = NULL;
                         break;
                     }
-                    if( asprintf( &psz_new, "%d", rand() ) < 0 )
+#warning Should use secure randomness here! (spoofing risk)
+                    if( asprintf( &psz_new, "%lu", vlc_mrand48() ) < 0 )
                         return VLC_ENOMEM;
                     psz_session = psz_new;
 
@@ -1358,7 +1360,8 @@ static int RtspCallbackES( httpd_callback_sys_t *p_args, httpd_client_t *cl,
                         answer->p_body = NULL;
                         break;
                     }
-                    if( asprintf( &psz_new, "%d", rand() ) < 0 )
+#warning Session ID should be securely random (spoofing risk)
+                    if( asprintf( &psz_new, "%lu", vlc_mrand48() ) < 0 )
                         return VLC_ENOMEM;
                     psz_session = psz_new;
 
diff --git a/modules/stream_out/rtsp.c b/modules/stream_out/rtsp.c
index 0d103fa..e237c03 100644
--- a/modules/stream_out/rtsp.c
+++ b/modules/stream_out/rtsp.c
@@ -538,8 +538,8 @@ static int RtspHandler( rtsp_stream_t *rtsp, rtsp_stream_id_t *id,
                     if( psz_session == NULL )
                     {
                         /* Create a dummy session ID */
-                        snprintf( psz_sesbuf, sizeof( psz_sesbuf ), "%d",
-                                  rand() );
+                        snprintf( psz_sesbuf, sizeof( psz_sesbuf ), "%lu",
+                                  vlc_mrand48() );
                         psz_session = psz_sesbuf;
                     }
                     answer->i_status = 200;
diff --git a/src/network/httpd.c b/src/network/httpd.c
index 1fec831..8dbdbf5 100644
--- a/src/network/httpd.c
+++ b/src/network/httpd.c
@@ -36,6 +36,7 @@
 #include <vlc_tls.h>
 #include <vlc_acl.h>
 #include <vlc_strings.h>
+#include <vlc_rand.h>
 #include "../libvlc.h"
 
 #include <string.h>
@@ -825,7 +826,8 @@ static int httpd_StreamCallBack( httpd_callback_sys_t *p_sys,
                           "application/octet-stream" );
             httpd_MsgAdd( answer, "Server", "Cougar 4.1.0.3921" );
             httpd_MsgAdd( answer, "Pragma", "no-cache" );
-            httpd_MsgAdd( answer, "Pragma", "client-id=%d", rand()&0x7fff );
+            httpd_MsgAdd( answer, "Pragma", "client-id=%lu",
+                          vlc_mrand48()&0x7fff );
             httpd_MsgAdd( answer, "Pragma", "features=\"broadcast\"" );
 
             /* Check if there is a xPlayStrm=1 */