CVE-2022-43294

Vulnerability

A stack buffer overflow exists in Tasmota versions prior to commit 066878da4d4762a9b6cb169fdf353e804d735cfd (approximately before 2022-11-14). The flaw resides in the CRtspSession::ParseRtspRequest function in lib/libesp32/rtsp/CRtspSession.cpp. When parsing an RTSP request, the code copies the client_port parameter into a fixed-size stack buffer CP (originally 1024 bytes, later reduced to 128 bytes in the fix) using strcpy without bounds checking, leading to a stack overflow [1][2].

Exploitation

An attacker can send a crafted RTSP request with an overly long client_port value to a Tasmota device that has the RTSP feature enabled. No authentication is required if the RTSP service is exposed. The overflow occurs during the strcpy call when ClientPortPtr is found in the request. The attacker controls the length of the input, allowing them to overwrite the stack beyond the buffer [1][2].

Impact

Successful exploitation can cause a stack overflow, leading to denial of service (crash) or potentially arbitrary code execution in the context of the Tasmota firmware. The exact impact depends on stack layout and memory protections, but the vulnerability is classified as a stack overflow with high severity [1][2].

Mitigation

The vulnerability is fixed in commit 066878da4d4762a9b6cb169fdf353e804d735cfd (Pull Request #16802) by replacing strcpy with strncpy and adding a length check to limit the copy to 128 bytes [1][2]. Users should update Tasmota to a version that includes this commit or later. If updating is not possible, disabling the RTSP feature or restricting network access to the RTSP port can reduce exposure.