SF Bug Tracker id 3496933 - Out-of-bounds access in CheckOtherHTTPHeaders

Submitted: Fabrice Fontaine ( ffontaine ) - 2012-03-05 01:15:34 PST

An out-of-bands access is raised because size of
RespInst->AcceptLanguageHeader is 200 and TmpBuf size is 180.
(cherry picked from commit 69f3fe2330)

ChangeLog

@@ -299,6 +299,15 @@ Version 1.8.0
 Version 1.6.16
 *******************************************************************************
 
+2012-03-05 Fabrice Fontaine <fabrice.fontaine(at)orange.com>
+
+	SF Bug Tracker id 3496933 - Out-of-bounds access in CheckOtherHTTPHeaders
+
+	Submitted: Fabrice Fontaine ( ffontaine ) - 2012-03-05 01:15:34 PST
+
+	An out-of-bands access is raised because size of
+	RespInst->AcceptLanguageHeader is 200 and TmpBuf size is 180.
+
 2012-03-05 Fabrice Fontaine <fabrice.fontaine(at)orange.com>
 
 	Remove unused currentDevice variable in removeServiceTable

upnp/src/genlib/net/http/webserver.c

@@ -2,6 +2,7 @@
  *
  * Copyright (c) 2000-2003 Intel Corporation 
  * All rights reserved. 
+ * Copyright (c) 2012 France Telecom All rights reserved. 
  *
  * Redistribution and use in source and binary forms, with or without 
  * modification, are permitted provided that the following conditions are met: 
@@ -913,8 +914,13 @@ static int CheckOtherHTTPHeaders(
 				}
 				break;
 			case HDR_ACCEPT_LANGUAGE:
-				memcpy(RespInstr->AcceptLanguageHeader, TmpBuf,
-				       sizeof(RespInstr->AcceptLanguageHeader) - 1);
+				if (sizeof(TmpBuf) > sizeof(RespInstr->AcceptLanguageHeader)) {
+					memcpy(RespInstr->AcceptLanguageHeader, TmpBuf,
+						sizeof(RespInstr->AcceptLanguageHeader) - 1);
+				} else {
+					memcpy(RespInstr->AcceptLanguageHeader, TmpBuf,
+						sizeof(TmpBuf) - 1);
+				}
 				break;
 			default:
 				/*