static void handle_dial_data(struct mg_connection *conn,
const struct mg_request_info *request_info,
const char *app_name,
const char *origin_header,
int use_payload) {
...
app->dial_data = parse_params(body);
...
It seems dial_data not free if each time a DIAL server receives a POST request sent to an additionalDataUrl.

Could you help confirm it?

Thanks.

Steps to reproduce

1. run the dialclient binary
2. when it asks for a server input a string over 80 chars to cause a buffer overflow

1. the ssdp_search sets the MX value to 10, allowing the device to have upto 10 seconds to respond. Yet, the RESPONSE_TIMEOUT is set to 5 seconds. The wait loop may exit too early.

2. socket descriptors and wait time should be reset on every select() call

3. In ssdp_msearch response, the LOCATION header field is case_insensitive, thus checking against LOCATION may not work all the time (depends on the DIAL server impl). See the spec here where it states

....header fields appearing .... Field names are not case sensitive. 

Please see PR 34

before free(ds)， it should call DIAL_unregister_app() first

Hello!
Any idea how i can add an app to DIAL registry?
Website http://www.dial-multiscreen.org/ is not working...

Hi, I use the latest code of dial server in the github to test. I started the dial server on my pc. When I open the netflix on the google chrome browser (cast extension has been installed), and can receive ssdp message, but the netflix on the browser doesn't show a cast icon. When I use the netflix on the mobile phone, it's OK and I can find the device and the cast icon.
When I use YouTube to test in the two ways, both mobile phone and youtube on browser can find the cast icon and be started by dial.
Is there a bug about Netflix related to this?

hi,
There is a memory leakage in file dial_server.c line 388, app->dial_data is a linked list.
should use ：
void free_dial_data( DIALData **dialData)
{
DIALData *curNode=NULL;
while (*dialData != NULL)
{
curNode =*dialData;
*dialData =curNode->next;
free(curNode->key);
free(curNode->value);
free(curNode);
}
}

when free the dial data , it should retrieve in line 206 when call handle_app_status(), using
app->dial_data=retrieve_dial_data() before using it. And after using up it in line 225, should free again.

I'm working on MAC OS env.
I've succeeded to compile and run. But could not receive any response from the client.
Even in the local machine.

Hi,

We found some issues in DIAL server unit tests

1. launchApplicationInRunningStateWithPayload:
   -> In 6.2.2 Server response, the table shows the return code should be 200 OK if the application is running and the new provided argument passed to the running application successfully. However, the test expects 201 Created.
2. launchApplicationInRunningStateWithNoPayload:
   -> If the application is running and the message body is empty, the dial server should return 200 OK in the table in 6.2.2. But the test expects 201 Created as well.
3. sleepTheSystemWithNoKeyWhenItIsRequired
   -> Once the device sleeps, the test code doesn't wake it up for the later test cases by sending a magic packet through WoL/WoW. Therefore, the later test case can't be run because the device is sleeping.

Could we have your idea about these issues?
Thank you.

Error:
[2021-06-25T14:25:06+05:30] TEST : launchApplicationInRunningStateWithNoPayload.js
[2021-06-25T14:25:06+05:30] DESCRIPTION : Launch Netflix without payload using DIAL server when application is already running and check for response code 201
[2021-06-25T14:25:11+05:30] RESULT : TEST FAILED Error: Error launching Netflix application when it was already running. Expected status code 201 from DIAL server but got 200

I see the above error for the given test case.
For YouTube the required response is 200
For Netflix the required response is 201.
Is this acceptable?

1. Download cross compile gcc from :https://codeload.github.com/offensive-security/gcc-arm-linux-gnueabihf-4.7/zip/master

2. Modify TARGET in the build.sh in server folder:
   export TARGET=~/Desktop/Del/gcc-arm-linux-gnueabihf-4.7-master/bin/arm-linux-gnueabihf-

3. execute build.sh
   ~/Desktop/Del/gcc-arm-linux-gnueabihf-4.7-master/bin/arm-linux-gnueabihf-gcc -Wall -Werror -g nf_callbacks.o -o libnfCallbacks.so --shared
   ~/Desktop/Del/gcc-arm-linux-gnueabihf-4.7-master/bin/../lib/gcc/arm-linux-gnueabihf/4.7.3/../../../../arm-linux-gnueabihf/bin/ld: nf_callbacks.o: relocation R_ARM_THM_MOVW_ABS_NC against `spAppNetflix' can not be used when making a shared object; recompile with -fPIC
   nf_callbacks.o: could not read symbols: Bad value
   collect2: error: ld returned 1 exit status
   make: *** [nf_callbacks_lib] Error 1

Search the stackoverflow:
http://stackoverflow.com/questions/13812185/how-to-recompile-with-fpic

even add -fPIC in server/makefile cannnot fix ir:

nf_callbacks_lib: nf_callbacks.o
$(CC) -Wall -Werror -g nf_callbacks.o -o libnfCallbacks.so --shared -fPIC

The nodejs tests for a DIAL server have multiple issues where incorrect codes are expected in response to a POST request to the Application Resource URL:

1. https://github.com/Netflix/dial-reference/blob/master/server/tests/js_tests/tests/launchApplicationInRunningStateWithNoPayload.js#L86

2. https://github.com/Netflix/dial-reference/blob/master/server/tests/js_tests/tests/launchApplicationInRunningStateWithPayload.js#L86
   These tests expect a 201 Created when 6.2.2 of the DIAL 2.2 spec indicates 200 OK should be returned if application state is Running. A 201 Created is only appropriate if the application is not currently running or it is hidden.
   For the launchApplicationInRunningStateWithPayload test, if the current application does not support payloads or fails to process the payload, a 501 Not Implemented is also acceptable (new for DIAL 2.2)

3. https://github.com/Netflix/dial-reference/blob/master/server/tests/js_tests/tests/hideInvalidApplicationInstance.js#L39
   Similar to the above issues, this test expects a 201 Created response regardless the current state of the application, when 6.2.2 of the DIAL 2.2 spec indicates 200 OK should be returned if application state is Running or Starting and 201 Created should be returned if the application state Stopped . However, this test assumes the application is not currently running and is missing the startAppIfNotRunning() function found in other tests. This assumption can result in intermittent failures of this test.

I think it will be beneficial to add among YouTube and Netfilix possibility to receive screen cast from android device or Chrome browser.

I am a newbie to cpp. When i am trying to evaluate the server, not able to understand how to set the target. Also not able to find the path '/usr/local/i686-netflix-linux-gnu-4.3/bin/i686-netflix-linux-gnu- '. Any help will be appreciated.

Thanks
Binish

The DIAL-Specification and this refernece implementation allows attackers to take partial control over a victims system.
In the DIAL Specification, CORS-Request are allowed if:

• No Origin Header is present
• or: the Origin-Domain matches a whitelisted domain

And blocked if:

• The the scheme indicates an insecure scheme (http:// for example)
  (See section 6.6 in the DIAL-Specification)

This does not take into account referrer-policies. When a Javascript snippet (in most browsers) over https:// sends a request to a dial-server, the origin-header is omitted due to the referrer-policy and the request is allowed.
This allows arbitrary websites to carry out CSRF-Attacks and control Media-Playing devices. An attacker can for example trigger a video playback on a target system.

Dear Sirs,

We are trying to implement the application launch process in DIAL-2ndScreenProtocol-2.1, ch 6.3.

The DIAL 2.1 spec only said that "If a first-screen application receives an ​additionalDataUrl, the application should POST a request to that URL as soon as the additional data is available."
We want to know how to deal with the situation when the DIAL client sends a GET request (step 7) before the first-screen application sends a POST request (step 6)?
Should one of the following rule be applied?

1. The DIAL client has no guarantee to obtain additionalData in GET response (step 8)
2. Add time limitations between the first-screen application receives a launch request (step 4) and responses a POST request (step 6), and between the dial client receives a POST response (step 5) and sends a GET request (step 7).

I'm not sure if it is suitable to ask the question. If not, could you please tell me where is suitable to ask the question?
Thanks for your kind reply.

BRs,
Warner

And also provide ability to change the default timeout.

Hey,

I'm unfamiliar with C/C++, and would like to compile/run the dial server on Mac OS X.

I've installed the XCode command line tools, and when I run make (from the dial-reference/server directory), I get a bunch of errors about symbols not being found:

Undefined symbols for architecture x86_64:
  "_isAppRunning", referenced from:
      _netflix_start in nf_callbacks.o
      _netflix_hide in nf_callbacks.o
      _netflix_status in nf_callbacks.o
      _netflix_stop in nf_callbacks.o
  "_runApplication", referenced from:
      _netflix_start in nf_callbacks.o
  "_shouldRelaunch", referenced from:
      _netflix_start in nf_callbacks.o
  "_spAppNetflix", referenced from:
      _netflix_start in nf_callbacks.o
      _netflix_hide in nf_callbacks.o
      _netflix_status in nf_callbacks.o
      _netflix_stop in nf_callbacks.o
  "_spNetflix", referenced from:
      _netflix_start.netflix_args in nf_callbacks.o
  "_url_encode", referenced from:
      _netflix_start in nf_callbacks.o
ld: symbol(s) not found for architecture x86_64

Has anyone gotten the server to compile on Mac OS X? If so, what were the steps?

Any help would be greatly appreciated!

Is there any plan to extend dial support in an IPv6 only network?
Usecase: Home router is configured in only ipv6 mode. Device-discovery and casting request from remote device shall be handled.

This is probably not an issue per se. However, I would like to understand how do I propose changes to the DIAL specification. If the specification is insufficient for an use case and I have some proposals to meet that use case, where do I submit the proposals?

The URN namespace identifier dial-multiscreen-org has not been registered with IANA, as it should be in accordance with RFC 8141. Please send a registration request to the [email protected] discussion list (visit https://www.ietf.org/mailman/listinfo/urn to sign up) by following the instructions in section 6 of RFC 8141: https://www.rfc-editor.org/rfc/rfc8141#section-6

int DIAL_register_app(DIALServer ds, const char *app_name,
struct DIALAppCallbacks *callbacks, void *user_data,
int useAdditionalData,
const char corsAllowedOrigin) {
DIALApp **ptr, *app;
int ret;

ds_lock(ds);
ptr = find_app(ds, app_name);
if (*ptr != NULL) {  // app already registered
    # ds_unlock(ds);
    ret = 0;
} else {
    app = malloc(sizeof(DIALApp));
    app->callbacks = *callbacks;
    app->name = strdup(app_name);
    app->next = *ptr;
    app->state = kDIALStatusStopped;
    app->callback_data = user_data;
    app->dial_data = retrieve_dial_data(app->name);
    app->useAdditionalData = useAdditionalData;
    app->corsAllowedOrigin[0] = '\0';
    if (corsAllowedOrigin &&
        strlen(corsAllowedOrigin) < sizeof(app->corsAllowedOrigin)) {
      strcpy(app->corsAllowedOrigin, corsAllowedOrigin);
    }
    *ptr = app;
    ret = 1;
}

ds_unlock(ds);

return ret;

}

I think ds_unlock(ds) is called twice . Can you help to confirm it ?
Many thanks.