Owntone Server NULL Pointer Dereference Vulnerability in safe_atou64 Function Allowing Denial-of-Service

A NULL pointer dereference vulnerability has been identified in the Owntone Server within the safe_atou64 function in src/misc.c, affecting versions through commit c4d57aa. This vulnerability allows attackers to cause a denial-of-service condition by sending a series of crafted HTTP requests to the server. The issue arises because the safe_atou64 function does not properly validate input, allowing NULL strings to be processed and leading to a crash when the server attempts to convert the NULL value into an unsigned 64-bit integer.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, causing the server to crash or become unresponsive.

Reproduction

To reproduce this vulnerability, send an HTTP PUT request to the server with the URL '/api/outputs/set'. Include a carefully crafted JSON payload that contains a NULL value in a position that the server will interpret as a string. After the server processes this request, send an HTTP GET request to '/api/outputs'. The server will then call the safe_atou64 function with a NULL parameter, causing a NULL pointer dereference and crashing the server.

Remediation

Users can update to the latest version of Owntone Server, where this vulnerability has been fixed.