From 0edaf3361db01425cae0daee7dc3f6039f381a17 Mon Sep 17 00:00:00 2001 From: Fabrice Fontaine Date: Thu, 8 Mar 2012 10:08:09 +0100 Subject: [PATCH] Remove most of strcpy, sprintf and strcat Replace strcpy, sprintf and strcat by strncpy, snprintf and strncat to avoid buffer overflows. (forward port of commit 97a17ff5add73c97844e2fa74456bab4df0800f1) --- ChangeLog | 7 ++++ upnp/src/api/upnpapi.c | 32 ++++++++++++------ upnp/src/api/upnptools.c | 11 +++--- upnp/src/gena/gena_ctrlpt.c | 13 ++++--- upnp/src/gena/gena_device.c | 34 +++++++++++++------ upnp/src/genlib/net/http/httpreadwrite.c | 29 ++++++++++------ upnp/src/genlib/net/http/webserver.c | 19 ++++++++--- upnp/src/genlib/net/uri/uri.c | 12 ++++--- upnp/src/soap/soap_device.c | 3 +- upnp/src/ssdp/ssdp_ctrlpt.c | 26 ++++++++------ upnp/src/ssdp/ssdp_device.c | 43 +++++++++++++++--------- upnp/src/ssdp/ssdp_server.c | 11 ++++-- upnp/src/urlconfig/urlconfig.c | 14 ++++---- 13 files changed, 170 insertions(+), 84 deletions(-) diff --git a/ChangeLog b/ChangeLog index 87870fc..58a5028 100644 --- a/ChangeLog +++ b/ChangeLog @@ -318,6 +318,13 @@ Version 1.8.0 Version 1.6.16 ******************************************************************************* +2012-03-08 Fabrice Fontaine + + Remove most of strcpy, sprintf and strcat + + Replace strcpy, sprintf and strcat by strncpy, snprintf and strncat to + avoid buffer overflows. + 2012-03-07 Yoichi NAKAYAMA SF Bug Tracker id 3497714 - Buffer overflows diff --git a/upnp/src/api/upnpapi.c b/upnp/src/api/upnpapi.c index 4345b33..c0d26d9 100644 --- a/upnp/src/api/upnpapi.c +++ b/upnp/src/api/upnpapi.c @@ -1500,6 +1500,7 @@ static int GetDescDocumentAndURL( struct sockaddr_storage serverAddr; int rc = UPNP_E_SUCCESS; + memset(aliasStr, 0, sizeof(aliasStr)); if (description == NULL) return UPNP_E_INVALID_PARAM; /* non-URL description must have configuration specified */ @@ -1551,7 +1552,8 @@ static int GetDescDocumentAndURL( /* Determine alias */ if (config_baseURL) { if (descriptionType == UPNPREG_BUF_DESC) { - strcpy(aliasStr, "description.xml"); + strncpy(aliasStr, "description.xml", + sizeof(aliasStr) - 1); } else { /* URL or filename */ retVal = GetNameForAlias(description, &temp_str); @@ -1564,7 +1566,7 @@ static int GetDescDocumentAndURL( free(temp_str); return UPNP_E_URL_TOO_BIG; } - strcpy(aliasStr, temp_str); + strncpy(aliasStr, temp_str, sizeof(aliasStr) - 1); } if (AddressFamily == AF_INET) { get_server_addr((struct sockaddr *)&serverAddr); @@ -1586,7 +1588,8 @@ static int GetDescDocumentAndURL( ixmlDocument_free(*xmlDoc); return UPNP_E_URL_TOO_BIG; } - strcpy(descURL, description); + strncpy(descURL, description, strlen(description)); + descURL[strlen(description)] = '\0'; } assert(*xmlDoc != NULL); @@ -1617,7 +1620,8 @@ static int GetDescDocumentAndURL( if (strlen(description) > (LINE_SIZE - 1)) { return UPNP_E_URL_TOO_BIG; } - strcpy(descURL, description); + strncpy(descURL, description, strlen(description)); + descURL[strlen(description)] = '\0'; retVal = UpnpDownloadXmlDoc(description, xmlDoc); if (retVal != UPNP_E_SUCCESS) { @@ -1986,7 +1990,8 @@ int UpnpSubscribe( HandleUnlock(); retVal = genaSubscribe(Hnd, EvtUrl, TimeOut, SubsIdTmp); - strcpy(SubsId, UpnpString_get_String(SubsIdTmp)); + memset(SubsId, 0, sizeof(Upnp_SID)); + strncpy(SubsId, UpnpString_get_String(SubsIdTmp), sizeof(Upnp_SID) - 1); exit_function: UpnpPrintf(UPNP_ALL, API, __FILE__, __LINE__, @@ -3436,7 +3441,9 @@ int UpnpGetIfInfo(const char *IfName) (struct ifreq *)((caddr_t) ifConf.ifc_req + i); i += sizeof *pifReq; /* See if this is the sort of interface we want to deal with. */ - strcpy(ifReq.ifr_name, pifReq->ifr_name); + memset(ifReq.ifr_name, 0, sizeof(ifReq.ifr_name)); + strncpy(ifReq.ifr_name, pifReq->ifr_name, + sizeof(ifReq.ifr_name) - 1); if (ioctl(LocalSock, SIOCGIFFLAGS, &ifReq) < 0) { UpnpPrintf(UPNP_ALL, API, __FILE__, __LINE__, "Can't get interface flags for %s:\n", @@ -3868,7 +3875,9 @@ int getlocalhostname(char *out, size_t out_len) (struct ifreq *)((caddr_t)ifConf.ifc_req + i); i += sizeof *pifReq; /* See if this is the sort of interface we want to deal with. */ - strcpy(ifReq.ifr_name, pifReq->ifr_name); + memset(ifReq.ifr_name, 0, sizeof(ifReq.ifr_name)); + strncpy(ifReq.ifr_name, pifReq->ifr_name, + sizeof(ifReq.ifr_name) - 1); if (ioctl(LocalSock, SIOCGIFFLAGS, &ifReq) < 0) { UpnpPrintf(UPNP_ALL, API, __FILE__, __LINE__, "Can't get interface flags for %s:\n", @@ -3948,6 +3957,7 @@ int UpnpAddVirtualDir(const char *newDirName) virtualDirList *pCurVirtualDir; char dirName[NAME_SIZE]; + memset( dirName, 0, sizeof( dirName ) ); if( UpnpSdkInit != 1 ) { /* SDK is not initialized */ return UPNP_E_FINISH; @@ -3959,9 +3969,9 @@ int UpnpAddVirtualDir(const char *newDirName) if( *newDirName != '/' ) { dirName[0] = '/'; - strcpy( dirName + 1, newDirName ); + strncpy( dirName + 1, newDirName, sizeof( dirName ) - 1 ); } else { - strcpy( dirName, newDirName ); + strncpy( dirName, newDirName, sizeof( dirName ) - 1 ); } pCurVirtualDir = pVirtualDirList; @@ -3980,7 +3990,9 @@ int UpnpAddVirtualDir(const char *newDirName) return UPNP_E_OUTOF_MEMORY; } pNewVirtualDir->next = NULL; - strcpy( pNewVirtualDir->dirName, dirName ); + memset( pNewVirtualDir->dirName, 0, sizeof( pNewVirtualDir->dirName ) ); + strncpy( pNewVirtualDir->dirName, dirName, + sizeof( pNewVirtualDir->dirName ) - 1); *( pNewVirtualDir->dirName + strlen( dirName ) ) = 0; if( pVirtualDirList == NULL ) { /* first virtual dir */ diff --git a/upnp/src/api/upnptools.c b/upnp/src/api/upnptools.c index c3d18a1..8029794 100644 --- a/upnp/src/api/upnptools.c +++ b/upnp/src/api/upnptools.c @@ -2,6 +2,7 @@ * * Copyright (c) 2000-2003 Intel Corporation * All rights reserved. + * Copyright (c) 2012 France Telecom All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: @@ -218,13 +219,14 @@ static int addToAction( if (ActBuff == NULL) { return UPNP_E_OUTOF_MEMORY; } + memset(ActBuff, 0, HEADER_LENGTH); if (response) { - sprintf(ActBuff, + snprintf(ActBuff, HEADER_LENGTH - 1, "\r\n", ActionName, ServType, ActionName); } else { - sprintf(ActBuff, + snprintf(ActBuff, HEADER_LENGTH - 1, "\r\n", ActionName, ServType, ActionName); } @@ -291,13 +293,14 @@ static IXML_Document *makeAction( if (ActBuff == NULL) { return NULL; } + memset(ActBuff, 0, HEADER_LENGTH); if (response) { - sprintf(ActBuff, + snprintf(ActBuff, HEADER_LENGTH - 1, "\r\n", ActionName, ServType, ActionName); } else { - sprintf(ActBuff, + snprintf(ActBuff, HEADER_LENGTH - 1, "\r\n", ActionName, ServType, ActionName); } diff --git a/upnp/src/gena/gena_ctrlpt.c b/upnp/src/gena/gena_ctrlpt.c index 90ecca2..9e53a99 100644 --- a/upnp/src/gena/gena_ctrlpt.c +++ b/upnp/src/gena/gena_ctrlpt.c @@ -284,6 +284,7 @@ static int gena_subscribe( uri_type dest_url; http_parser_t response; + memset(timeout_str, 0, sizeof(timeout_str)); UpnpString_clear(sid); /* request timeout to string */ @@ -291,11 +292,12 @@ static int gena_subscribe( timeout = &local_timeout; } if (*timeout < 0) { - strcpy(timeout_str, "infinite"); + strncpy(timeout_str, "infinite", sizeof(timeout_str) - 1); } else if(*timeout < CP_MINIMUM_SUBSCRIPTION_TIME) { - sprintf(timeout_str, "%d", CP_MINIMUM_SUBSCRIPTION_TIME); + snprintf(timeout_str, sizeof(timeout_str) - 1, + "%d", CP_MINIMUM_SUBSCRIPTION_TIME); } else { - sprintf(timeout_str, "%d", *timeout); + snprintf(timeout_str, sizeof(timeout_str) - 1, "%d", *timeout); } /* parse url */ @@ -513,6 +515,9 @@ int genaSubscribe( UpnpString *EventURL = UpnpString_new(); struct Handle_Info *handle_info; + memset(temp_sid, 0, sizeof(temp_sid)); + memset(temp_sid2, 0, sizeof(temp_sid2)); + UpnpPrintf(UPNP_INFO, GENA, __FILE__, __LINE__, "GENA SUBSCRIBE BEGIN"); UpnpString_clear(out_sid); @@ -545,7 +550,7 @@ int genaSubscribe( /* generate client SID */ uuid_create(&uid ); uuid_unpack(&uid, temp_sid); - sprintf(temp_sid2, "uuid:%s", temp_sid); + snprintf(temp_sid2, sizeof(temp_sid2) - 1, "uuid:%s", temp_sid); UpnpString_set_String(out_sid, temp_sid2); /* create event url */ diff --git a/upnp/src/gena/gena_device.c b/upnp/src/gena/gena_device.c index f985fe4..4f77b16 100644 --- a/upnp/src/gena/gena_device.c +++ b/upnp/src/gena/gena_device.c @@ -493,8 +493,10 @@ int genaInitNotify( goto ExitFunction; } - strcpy(UDN_copy, UDN); - strcpy(servId_copy, servId); + memset(UDN_copy, 0, strlen(UDN) + 1); + strncpy(UDN_copy, UDN, strlen(UDN)); + memset(servId_copy, 0, strlen(servId) + 1); + strncpy(servId_copy, servId, strlen(servId)); HandleLock(); @@ -650,8 +652,10 @@ int genaInitNotifyExt( goto ExitFunction; } - strcpy(UDN_copy, UDN); - strcpy(servId_copy, servId); + memset(UDN_copy, 0, strlen(UDN) + 1); + strncpy(UDN_copy, UDN, strlen(UDN)); + memset(servId_copy, 0, strlen(servId) + 1); + strncpy(servId_copy, servId, strlen(servId)); HandleLock(); @@ -807,8 +811,10 @@ int genaNotifyAllExt( goto ExitFunction; } - strcpy(UDN_copy, UDN); - strcpy(servId_copy, servId); + memset(UDN_copy, 0, strlen(UDN) + 1); + strncpy(UDN_copy, UDN, strlen(UDN)); + memset(servId_copy, 0, strlen(servId) + 1); + strncpy(servId_copy, servId, strlen(servId)); propertySet = ixmlPrintNode((IXML_Node *)PropSet); if (propertySet == NULL) { @@ -951,8 +957,10 @@ int genaNotifyAll( goto ExitFunction; } - strcpy(UDN_copy, UDN); - strcpy(servId_copy, servId); + memset(UDN_copy, 0, strlen(UDN) + 1); + strncpy(UDN_copy, UDN, strlen(UDN)); + memset(servId_copy, 0, strlen(servId) + 1); + strncpy(servId_copy, servId, strlen(servId)); ret = GeneratePropertySet(VarNames, VarValues, var_count, &propertySet); if (ret != XML_SUCCESS) { @@ -1067,13 +1075,16 @@ static int respond_ok( char timeout_str[100]; int upnp_timeout = UPNP_TIMEOUT; + memset( timeout_str, 0, sizeof( timeout_str ) ); http_CalcResponseVersion( request->major_version, request->minor_version, &major, &minor ); if( time_out >= 0 ) { - sprintf( timeout_str, "TIMEOUT: Second-%d", time_out ); + snprintf( timeout_str, sizeof ( timeout_str ) - 1, + "TIMEOUT: Second-%d", time_out ); } else { - strcpy( timeout_str, "TIMEOUT: Second-infinite" ); + strncpy( timeout_str, "TIMEOUT: Second-infinite", + sizeof ( timeout_str ) - 1 ); } membuffer_init( &response ); @@ -1335,7 +1346,8 @@ void gena_process_subscription_request( /* generate SID */ uuid_create(&uid); uuid_unpack(&uid, temp_sid); - sprintf(sub->sid, "uuid:%s", temp_sid); + memset(sub->sid, 0, sizeof(sub->sid)); + snprintf(sub->sid, sizeof(sub->sid) - 1, "uuid:%s", temp_sid); /* respond OK */ if (respond_ok(info, time_out, sub, request) != UPNP_E_SUCCESS) { diff --git a/upnp/src/genlib/net/http/httpreadwrite.c b/upnp/src/genlib/net/http/httpreadwrite.c index 5b10d18..2a4ed20 100644 --- a/upnp/src/genlib/net/http/httpreadwrite.c +++ b/upnp/src/genlib/net/http/httpreadwrite.c @@ -430,6 +430,7 @@ int http_SendMessage(SOCKINFO *info, int *TimeOut, const char *fmt, ...) /* 10 byte allocated for chunk header. */ size_t Data_Buf_Size = WEB_SERVER_BUF_SIZE; + memset(Chunk_Header, 0, sizeof(Chunk_Header)); va_start(argp, fmt); while ((c = *fmt++) != 0) { if (c == 'I') { @@ -507,9 +508,13 @@ int http_SendMessage(SOCKINFO *info, int *TimeOut, const char *fmt, ...) /* Copy CRLF at the end of the chunk */ memcpy(file_buf + num_read, "\r\n", 2); /* Hex length for the chunk size. */ - sprintf(Chunk_Header, "%" PRIzx, num_read); + memset(Chunk_Header, 0, + sizeof(Chunk_Header)); + snprintf(Chunk_Header, + sizeof(Chunk_Header) - strlen ("\r\n") - 1, + "%" PRIzx, num_read); /*itoa(num_read,Chunk_Header,16); */ - strcat(Chunk_Header, "\r\n"); + strncat(Chunk_Header, "\r\n", strlen ("\r\n")); /* Copy the chunk size header */ memcpy(file_buf - strlen(Chunk_Header), Chunk_Header, @@ -696,7 +701,8 @@ int http_Download( IN const char *url_str, return ret_code; /* make msg */ membuffer_init(&request); - strcpy(urlPath, url_str); + memset(urlPath, 0, strlen(url_str) + 1); + strncpy(urlPath, url_str, strlen(url_str)); hoststr = strstr(urlPath, "//"); if (hoststr == NULL) return UPNP_E_INVALID_URL; @@ -1434,6 +1440,7 @@ int http_MakeMessage(membuffer *buf, int http_major_version, const char *month_str = "Jan\0Feb\0Mar\0Apr\0May\0Jun\0" "Jul\0Aug\0Sep\0Oct\0Nov\0Dec"; + memset(tempbuf, 0, sizeof(tempbuf)); va_start(argp, fmt); while ((c = *fmt++) != 0) { if (c == 's') { @@ -1475,13 +1482,14 @@ int http_MakeMessage(membuffer *buf, int http_major_version, } else if (c == 'd') { /* integer */ num = (size_t)va_arg(argp, int); - sprintf(tempbuf, "%" PRIzu, num); + snprintf(tempbuf, sizeof(tempbuf) - 1, "%" PRIzu, num); if (membuffer_append(buf, tempbuf, strlen(tempbuf))) goto error_handler; } else if (c == 'h') { /* off_t */ bignum = (off_t) va_arg(argp, off_t); - sprintf(tempbuf, "%" PRId64, (int64_t) bignum); + snprintf(tempbuf, sizeof(tempbuf) - 1, "%" PRId64, + (int64_t) bignum); if (membuffer_append(buf, tempbuf, strlen(tempbuf))) goto error_handler; } else if (c == 't' || c == 'D') { @@ -1499,7 +1507,7 @@ int http_MakeMessage(membuffer *buf, int http_major_version, } assert(loc_time); date = gmtime(loc_time); - sprintf(tempbuf, + snprintf(tempbuf, sizeof(tempbuf) - 1, "%s%s, %02d %s %d %02d:%02d:%02d GMT%s", start_str, &weekday_str[date->tm_wday * 4], date->tm_mday, &month_str[date->tm_mon * 4], @@ -1556,7 +1564,7 @@ int http_MakeMessage(membuffer *buf, int http_major_version, /* e.g.: 'HTTP/1.1 200 OK' code */ status_code = (int)va_arg(argp, int); assert(status_code > 0); - sprintf(tempbuf, "HTTP/%d.%d %d ", + snprintf(tempbuf, sizeof(tempbuf) - 1, "HTTP/%d.%d %d ", http_major_version, http_minor_version, status_code); /* str */ @@ -1567,7 +1575,7 @@ int http_MakeMessage(membuffer *buf, int http_major_version, } else if (c == 'B') { /* body of a simple reply */ status_code = (int)va_arg(argp, int); - sprintf(tempbuf, "%s%d %s%s", + snprintf(tempbuf, sizeof(tempbuf) - 1, "%s%d %s%s", "

", status_code, http_get_code_text(status_code), "

"); @@ -1702,7 +1710,7 @@ int MakeGetMessageEx( const char *url_str, break; } memset(urlPath, 0, strlen(url_str) + 1); - strcpy(urlPath, url_str); + strncpy(urlPath, url_str, strlen(url_str)); hoststr = strstr(urlPath, "//"); if (hoststr == NULL) { errCode = UPNP_E_INVALID_URL; @@ -1806,7 +1814,8 @@ int http_OpenHttpGetEx( break; } memset(&rangeBuf, 0, sizeof(rangeBuf)); - sprintf(rangeBuf.RangeHeader, + snprintf(rangeBuf.RangeHeader, + sizeof(rangeBuf.RangeHeader) - 1, "Range: bytes=%d-%d\r\n", lowRange, highRange); membuffer_init(&request); errCode = MakeGetMessageEx(url_str, &request, &url, &rangeBuf); diff --git a/upnp/src/genlib/net/http/webserver.c b/upnp/src/genlib/net/http/webserver.c index 18641a1..e096c90 100644 --- a/upnp/src/genlib/net/http/webserver.c +++ b/upnp/src/genlib/net/http/webserver.c @@ -318,6 +318,7 @@ static UPNP_INLINE int get_content_type( temp = malloc(length); if (!temp) return UPNP_E_OUTOF_MEMORY; + memset(temp, 0, length); sprintf(temp, "%s/%s", type, subtype); UpnpFileInfo_set_ContentType(fileInfo, temp); free(temp); @@ -773,7 +774,8 @@ static int CreateHTTPRangeResponseHeader( RangeInput = malloc(strlen(ByteRangeSpecifier) + 1); if (!RangeInput) return UPNP_E_OUTOF_MEMORY; - strcpy(RangeInput, ByteRangeSpecifier); + memset(RangeInput, 0, strlen(ByteRangeSpecifier) + 1); + strncpy(RangeInput, ByteRangeSpecifier, strlen(ByteRangeSpecifier)); /* CONTENT-RANGE: bytes 222-3333/4000 HTTP_PARTIAL_CONTENT */ if (StrStr(RangeInput, "bytes") == NULL || (Ptr = StrStr(RangeInput, "=")) == NULL) { @@ -792,13 +794,15 @@ static int CreateHTTPRangeResponseHeader( free(RangeInput); return HTTP_REQUEST_RANGE_NOT_SATISFIABLE; } + memset(Instr->RangeHeader, 0, sizeof(Instr->RangeHeader)); if (FirstByte >= 0 && LastByte >= 0 && LastByte >= FirstByte) { if (LastByte >= FileLength) LastByte = FileLength - 1; Instr->RangeOffset = FirstByte; Instr->ReadSendSize = LastByte - FirstByte + 1; /* Data between two range. */ - sprintf(Instr->RangeHeader, + snprintf(Instr->RangeHeader, + sizeof(Instr->RangeHeader) - 1, "CONTENT-RANGE: bytes %" PRId64 "-%" PRId64 "/%" PRId64 "\r\n", (int64_t)FirstByte, @@ -808,7 +812,10 @@ static int CreateHTTPRangeResponseHeader( && FirstByte < FileLength) { Instr->RangeOffset = FirstByte; Instr->ReadSendSize = FileLength - FirstByte; - sprintf(Instr->RangeHeader, + memset(Instr->RangeHeader, 0, + sizeof(Instr->RangeHeader)); + snprintf(Instr->RangeHeader, + sizeof(Instr->RangeHeader) - 1, "CONTENT-RANGE: bytes %" PRId64 "-%" PRId64 "/%" PRId64 "\r\n", (int64_t)FirstByte, @@ -818,7 +825,8 @@ static int CreateHTTPRangeResponseHeader( if (LastByte >= FileLength) { Instr->RangeOffset = 0; Instr->ReadSendSize = FileLength; - sprintf(Instr->RangeHeader, + snprintf(Instr->RangeHeader, + sizeof(Instr->RangeHeader) - 1, "CONTENT-RANGE: bytes 0-%" PRId64 "/%" PRId64 "\r\n", (int64_t)(FileLength - 1), @@ -826,7 +834,8 @@ static int CreateHTTPRangeResponseHeader( } else { Instr->RangeOffset = FileLength - LastByte; Instr->ReadSendSize = LastByte; - sprintf(Instr->RangeHeader, + snprintf(Instr->RangeHeader, + sizeof(Instr->RangeHeader) - 1, "CONTENT-RANGE: bytes %" PRId64 "-%" PRId64 "/%" PRId64 "\r\n", (int64_t)(FileLength - LastByte + 1), diff --git a/upnp/src/genlib/net/uri/uri.c b/upnp/src/genlib/net/uri/uri.c index 9769291..0c3a629 100644 --- a/upnp/src/genlib/net/uri/uri.c +++ b/upnp/src/genlib/net/uri/uri.c @@ -2,6 +2,7 @@ * * Copyright (c) 2000-2003 Intel Corporation * All rights reserved. + * Copyright (c) 2012 France Telecom All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: @@ -589,12 +590,13 @@ char *resolve_rel_url(char *base_url, char *rel_url) if( out == NULL ) { return NULL; } + memset( out, 0, strlen( base_url ) + strlen( rel_url ) + 2 ); if( ( parse_uri( rel_url, strlen( rel_url ), &rel ) ) == HTTP_SUCCESS ) { if( rel.type == ABSOLUTE ) { - strcpy( out, rel_url ); + strncpy( out, rel_url, strlen ( rel_url ) ); } else { if( ( parse_uri( base_url, strlen( base_url ), &base ) == @@ -602,7 +604,7 @@ char *resolve_rel_url(char *base_url, char *rel_url) && ( base.type == ABSOLUTE ) ) { if( strlen( rel_url ) == 0 ) { - strcpy( out, base_url ); + strncpy( out, base_url, strlen ( base_url ) ); } else { memcpy( out, base.scheme.buff, base.scheme.size ); out_finger += base.scheme.size; @@ -610,7 +612,7 @@ char *resolve_rel_url(char *base_url, char *rel_url) out_finger++; if( rel.hostport.text.size > 0 ) { - sprintf( out_finger, "%s", rel_url ); + snprintf( out_finger, strlen( rel_url ), "%s", rel_url ); } else { if( base.hostport.text.size > 0 ) { memcpy( out_finger, "//", 2 ); @@ -621,7 +623,7 @@ char *resolve_rel_url(char *base_url, char *rel_url) } if( rel.path_type == ABS_PATH ) { - strcpy( out_finger, rel_url ); + strncpy( out_finger, rel_url, strlen ( rel_url ) ); } else { @@ -642,7 +644,7 @@ char *resolve_rel_url(char *base_url, char *rel_url) finger++; } - strcpy( last_slash, rel_url ); + strncpy( last_slash, rel_url, strlen ( rel_url ) ); if( remove_dots( out_finger, strlen( out_finger ) ) != UPNP_E_SUCCESS ) { diff --git a/upnp/src/soap/soap_device.c b/upnp/src/soap/soap_device.c index 80a94d8..168cc9c 100644 --- a/upnp/src/soap/soap_device.c +++ b/upnp/src/soap/soap_device.c @@ -194,7 +194,8 @@ static void send_error_response( char err_code_str[30]; membuffer headers; - sprintf(err_code_str, "%d", error_code); + memset(err_code_str, 0, sizeof(err_code_str)); + snprintf(err_code_str, sizeof(err_code_str) - 1, "%d", error_code); /* calc body len */ content_length = (off_t) (strlen(start_body) + strlen(err_code_str) + strlen(mid_body) + strlen(err_msg) + diff --git a/upnp/src/ssdp/ssdp_ctrlpt.c b/upnp/src/ssdp/ssdp_ctrlpt.c index a439c59..41dcc99 100644 --- a/upnp/src/ssdp/ssdp_ctrlpt.c +++ b/upnp/src/ssdp/ssdp_ctrlpt.c @@ -327,24 +327,27 @@ static void CreateClientRequestPacket( { char TempBuf[COMMAND_LEN]; + memset(TempBuf, 0, sizeof(TempBuf)); strcpy(RqstBuf, "M-SEARCH * HTTP/1.1\r\n"); if (AddressFamily == AF_INET) { - sprintf(TempBuf, "HOST: %s:%d\r\n", SSDP_IP, SSDP_PORT); + snprintf(TempBuf, sizeof(TempBuf) - 1, "HOST: %s:%d\r\n", + SSDP_IP, SSDP_PORT); } else if (AddressFamily == AF_INET6) { - sprintf(TempBuf, "HOST: [%s]:%d\r\n", SSDP_IPV6_LINKLOCAL, - SSDP_PORT); + snprintf(TempBuf, sizeof(TempBuf) - 1, "HOST: [%s]:%d\r\n", + SSDP_IPV6_LINKLOCAL, SSDP_PORT); } strcat(RqstBuf, TempBuf); strcat(RqstBuf, "MAN: \"ssdp:discover\"\r\n"); if (Mx > 0) { - sprintf(TempBuf, "MX: %d\r\n", Mx); + snprintf(TempBuf, sizeof(TempBuf) - 1, "MX: %d\r\n", Mx); strcat(RqstBuf, TempBuf); } if (SearchTarget != NULL) { - sprintf(TempBuf, "ST: %s\r\n", SearchTarget); + snprintf(TempBuf, sizeof(TempBuf) - 1, "ST: %s\r\n", + SearchTarget); strcat(RqstBuf, TempBuf); } strcat(RqstBuf, "\r\n"); @@ -365,21 +368,24 @@ static void CreateClientRequestPacketUlaGua( { char TempBuf[COMMAND_LEN]; + memset(TempBuf, 0, sizeof(TempBuf)); strcpy(RqstBuf, "M-SEARCH * HTTP/1.1\r\n"); if (AddressFamily == AF_INET) { - sprintf(TempBuf, "HOST: %s:%d\r\n", SSDP_IP, SSDP_PORT); + snprintf(TempBuf, sizeof(TempBuf) - 1, "HOST: %s:%d\r\n", + SSDP_IP, SSDP_PORT); } else if (AddressFamily == AF_INET6) { - sprintf(TempBuf, "HOST: [%s]:%d\r\n", SSDP_IPV6_SITELOCAL, - SSDP_PORT); + snprintf(TempBuf, sizeof(TempBuf) - 1, "HOST: [%s]:%d\r\n", + SSDP_IPV6_SITELOCAL, SSDP_PORT); } strcat(RqstBuf, TempBuf); strcat(RqstBuf, "MAN: \"ssdp:discover\"\r\n"); if (Mx > 0) { - sprintf(TempBuf, "MX: %d\r\n", Mx); + snprintf(TempBuf, sizeof(TempBuf) - 1, "MX: %d\r\n", Mx); strcat(RqstBuf, TempBuf); } if (SearchTarget) { - sprintf(TempBuf, "ST: %s\r\n", SearchTarget); + snprintf(TempBuf, sizeof(TempBuf) - 1, "ST: %s\r\n", + SearchTarget); strcat(RqstBuf, TempBuf); } strcat(RqstBuf, "\r\n"); diff --git a/upnp/src/ssdp/ssdp_device.c b/upnp/src/ssdp/ssdp_device.c index a4f7d1a..46c3ae2 100644 --- a/upnp/src/ssdp/ssdp_device.c +++ b/upnp/src/ssdp/ssdp_device.c @@ -440,6 +440,7 @@ int DeviceAdvertisement(char *DevType, int RootDev, char *Udn, char *Location, UpnpPrintf(UPNP_INFO, SSDP, __FILE__, __LINE__, "In function DeviceAdvertisement\n"); memset(&__ss, 0, sizeof(__ss)); + memset(Mil_Usn, 0, sizeof(Mil_Usn)); if (AddressFamily == AF_INET) { DestAddr4->sin_family = AF_INET; inet_pton(AF_INET, SSDP_IP, &DestAddr4->sin_addr); @@ -461,7 +462,8 @@ int DeviceAdvertisement(char *DevType, int RootDev, char *Udn, char *Location, /* If deviceis a root device , here we need to send 3 advertisement * or reply */ if (RootDev) { - sprintf(Mil_Usn, "%s::upnp:rootdevice", Udn); + snprintf(Mil_Usn, sizeof(Mil_Usn) - 1, + "%s::upnp:rootdevice", Udn); CreateServicePacket(MSGTYPE_ADVERTISEMENT, "upnp:rootdevice", Mil_Usn, Location, Duration, &msgs[0], AddressFamily, PowerState, SleepPeriod, @@ -471,7 +473,7 @@ int DeviceAdvertisement(char *DevType, int RootDev, char *Udn, char *Location, CreateServicePacket(MSGTYPE_ADVERTISEMENT, Udn, Udn, Location, Duration, &msgs[1], AddressFamily, PowerState, SleepPeriod, RegistrationState); - sprintf(Mil_Usn, "%s::%s", Udn, DevType); + snprintf(Mil_Usn, sizeof(Mil_Usn) - 1, "%s::%s", Udn, DevType); CreateServicePacket(MSGTYPE_ADVERTISEMENT, DevType, Mil_Usn, Location, Duration, &msgs[2], AddressFamily, PowerState, SleepPeriod, RegistrationState); @@ -513,11 +515,13 @@ int SendReply(struct sockaddr *DestAddr, char *DevType, int RootDev, msgs[0] = NULL; msgs[1] = NULL; + memset(Mil_Usn, 0, sizeof(Mil_Usn)); if (RootDev) { /* one msg for root device */ num_msgs = 1; - sprintf(Mil_Usn, "%s::upnp:rootdevice", Udn); + snprintf(Mil_Usn, sizeof(Mil_Usn) - 1, "%s::upnp:rootdevice", + Udn); CreateServicePacket(MSGTYPE_REPLY, "upnp:rootdevice", Mil_Usn, Location, Duration, &msgs[0], DestAddr->sa_family, PowerState, @@ -533,7 +537,8 @@ int SendReply(struct sockaddr *DestAddr, char *DevType, int RootDev, DestAddr->sa_family, PowerState, SleepPeriod, RegistrationState); } else { - sprintf(Mil_Usn, "%s::%s", Udn, DevType); + snprintf(Mil_Usn, sizeof(Mil_Usn) - 1, "%s::%s", Udn, + DevType); CreateServicePacket(MSGTYPE_REPLY, DevType, Mil_Usn, Location, Duration, &msgs[0], DestAddr->sa_family, PowerState, @@ -567,23 +572,26 @@ int DeviceReply(struct sockaddr *DestAddr, char *DevType, int RootDev, szReq[0] = NULL; szReq[1] = NULL; szReq[2] = NULL; + memset(Mil_Nt, 0, sizeof(Mil_Nt)); + memset(Mil_Usn, 0, sizeof(Mil_Usn)); /* create 2 or 3 msgs */ if (RootDev) { /* 3 replies for root device */ - strcpy(Mil_Nt, "upnp:rootdevice"); - sprintf(Mil_Usn, "%s::upnp:rootdevice", Udn); + strncpy(Mil_Nt, "upnp:rootdevice", sizeof(Mil_Nt) - 1); + snprintf(Mil_Usn, sizeof(Mil_Usn) - 1, "%s::upnp:rootdevice", + Udn); CreateServicePacket(MSGTYPE_REPLY, Mil_Nt, Mil_Usn, Location, Duration, &szReq[0], DestAddr->sa_family, PowerState, SleepPeriod, RegistrationState); } - sprintf(Mil_Nt, "%s", Udn); - sprintf(Mil_Usn, "%s", Udn); + snprintf(Mil_Nt, sizeof(Mil_Nt) - 1, "%s", Udn); + snprintf(Mil_Usn, sizeof(Mil_Usn) - 1, "%s", Udn); CreateServicePacket(MSGTYPE_REPLY, Mil_Nt, Mil_Usn, Location, Duration, &szReq[1], DestAddr->sa_family, PowerState, SleepPeriod, RegistrationState); - sprintf(Mil_Nt, "%s", DevType); - sprintf(Mil_Usn, "%s::%s", Udn, DevType); + snprintf(Mil_Nt, sizeof(Mil_Nt) - 1, "%s", DevType); + snprintf(Mil_Usn, sizeof(Mil_Usn) - 1, "%s::%s", Udn, DevType); CreateServicePacket(MSGTYPE_REPLY, Mil_Nt, Mil_Usn, Location, Duration, &szReq[2], DestAddr->sa_family, PowerState, SleepPeriod, RegistrationState); @@ -621,6 +629,7 @@ int ServiceAdvertisement(char *Udn, char *ServType, char *Location, struct sockaddr_in6 *DestAddr6 = (struct sockaddr_in6 *)&__ss; memset(&__ss, 0, sizeof(__ss)); + memset(Mil_Usn, 0, sizeof(Mil_Usn)); if (AddressFamily == AF_INET) { DestAddr4->sin_family = AF_INET; inet_pton(AF_INET, SSDP_IP, &DestAddr4->sin_addr); @@ -636,7 +645,7 @@ int ServiceAdvertisement(char *Udn, char *ServType, char *Location, UpnpPrintf(UPNP_CRITICAL, SSDP, __FILE__, __LINE__, "Invalid device address family.\n"); } - sprintf(Mil_Usn, "%s::%s", Udn, ServType); + snprintf(Mil_Usn, sizeof(Mil_Usn) - 1,"%s::%s", Udn, ServType); /* CreateServiceRequestPacket(1,szReq[0],Mil_Nt,Mil_Usn, * Server,Location,Duration); */ CreateServicePacket(MSGTYPE_ADVERTISEMENT, ServType, Mil_Usn, @@ -659,8 +668,9 @@ int ServiceReply(struct sockaddr *DestAddr, char *ServType, char *Udn, char *szReq[1]; int RetVal; + memset(Mil_Usn, 0, sizeof(Mil_Usn)); szReq[0] = NULL; - sprintf(Mil_Usn, "%s::%s", Udn, ServType); + snprintf(Mil_Usn, sizeof(Mil_Usn) - 1, "%s::%s", Udn, ServType); CreateServicePacket(MSGTYPE_REPLY, ServType, Mil_Usn, Location, Duration, &szReq[0], DestAddr->sa_family, PowerState, SleepPeriod, RegistrationState); @@ -684,6 +694,7 @@ int ServiceShutdown(char *Udn, char *ServType, char *Location, int Duration, int RetVal = UPNP_E_SUCCESS; memset(&__ss, 0, sizeof(__ss)); + memset(Mil_Usn, 0, sizeof(Mil_Usn)); if (AddressFamily == AF_INET) { DestAddr4->sin_family = AF_INET; inet_pton(AF_INET, SSDP_IP, &DestAddr4->sin_addr); @@ -700,7 +711,7 @@ int ServiceShutdown(char *Udn, char *ServType, char *Location, int Duration, "Invalid device address family.\n"); } /* sprintf(Mil_Nt,"%s",ServType); */ - sprintf(Mil_Usn, "%s::%s", Udn, ServType); + snprintf(Mil_Usn, sizeof(Mil_Usn) - 1, "%s::%s", Udn, ServType); /* CreateServiceRequestPacket(0,szReq[0],Mil_Nt,Mil_Usn, * Server,Location,Duration); */ CreateServicePacket(MSGTYPE_SHUTDOWN, ServType, Mil_Usn, @@ -729,6 +740,7 @@ int DeviceShutdown(char *DevType, int RootDev, char *Udn, char *_Server, msgs[1] = NULL; msgs[2] = NULL; memset(&__ss, 0, sizeof(__ss)); + memset(Mil_Usn, 0, sizeof(Mil_Usn)); if (AddressFamily == AF_INET) { DestAddr4->sin_family = AF_INET; inet_pton(AF_INET, SSDP_IP, &DestAddr4->sin_addr); @@ -746,7 +758,8 @@ int DeviceShutdown(char *DevType, int RootDev, char *Udn, char *_Server, } /* root device has one extra msg */ if (RootDev) { - sprintf(Mil_Usn, "%s::upnp:rootdevice", Udn); + snprintf(Mil_Usn, sizeof(Mil_Usn) - 1, "%s::upnp:rootdevice", + Udn); CreateServicePacket(MSGTYPE_SHUTDOWN, "upnp:rootdevice", Mil_Usn, Location, Duration, &msgs[0], AddressFamily, PowerState, SleepPeriod, @@ -758,7 +771,7 @@ int DeviceShutdown(char *DevType, int RootDev, char *Udn, char *_Server, CreateServicePacket(MSGTYPE_SHUTDOWN, Udn, Udn, Location, Duration, &msgs[1], AddressFamily, PowerState, SleepPeriod, RegistrationState); - sprintf(Mil_Usn, "%s::%s", Udn, DevType); + snprintf(Mil_Usn, sizeof(Mil_Usn) - 1, "%s::%s", Udn, DevType); CreateServicePacket(MSGTYPE_SHUTDOWN, DevType, Mil_Usn, Location, Duration, &msgs[2], AddressFamily, PowerState, SleepPeriod, RegistrationState); diff --git a/upnp/src/ssdp/ssdp_server.c b/upnp/src/ssdp/ssdp_server.c index 90d5fbd..a284c7e 100644 --- a/upnp/src/ssdp/ssdp_server.c +++ b/upnp/src/ssdp/ssdp_server.c @@ -467,8 +467,11 @@ int unique_service_name(char *cmd, SsdpEvent *Evt) ptr3 = strstr(ptr2 + 1, ":"); else return -1; - if (ptr3 != NULL) - sprintf(Evt->UDN, "uuid:%s", ptr3 + 1); + if (ptr3 != NULL) { + memset(Evt->UDN, 0, sizeof(Evt->UDN)); + snprintf(Evt->UDN, sizeof(Evt->UDN) - 1, + "uuid:%s", ptr3 + 1); + } else return -1; ptr1 = strstr(cmd, ":"); @@ -476,7 +479,9 @@ int unique_service_name(char *cmd, SsdpEvent *Evt) n = (size_t) (ptr3 - ptr1); strncpy(TempBuf, ptr1, n); TempBuf[n] = '\0'; - sprintf(Evt->DeviceType, "urn%s", TempBuf); + memset(Evt->DeviceType, 0, sizeof(Evt->DeviceType)); + snprintf(Evt->DeviceType, sizeof(Evt->DeviceType) - 1, + "urn%s", TempBuf); } else return -1; return 0; diff --git a/upnp/src/urlconfig/urlconfig.c b/upnp/src/urlconfig/urlconfig.c index e94c767..a8c025a 100644 --- a/upnp/src/urlconfig/urlconfig.c +++ b/upnp/src/urlconfig/urlconfig.c @@ -133,9 +133,10 @@ static UPNP_INLINE int calc_alias( alias_temp = malloc(new_alias_len + 1); if (alias_temp == NULL) return UPNP_E_OUTOF_MEMORY; - strcpy(alias_temp, rootPath); - strcat(alias_temp, temp_str); - strcat(alias_temp, aliasPtr); + memset(alias_temp, 0, new_alias_len + 1); + strncpy(alias_temp, rootPath, root_len); + strncat(alias_temp, temp_str, strlen(temp_str)); + strncat(alias_temp, aliasPtr, strlen(aliasPtr)); *newAlias = alias_temp; return UPNP_E_SUCCESS; @@ -173,9 +174,10 @@ static UPNP_INLINE int calc_descURL( len = strlen(http_scheme) + strlen(ipPortStr) + strlen(alias); if (len > (LINE_SIZE - 1)) return UPNP_E_URL_TOO_BIG; - strcpy(descURL, http_scheme); - strcat(descURL, ipPortStr); - strcat(descURL, alias); + strncpy(descURL, http_scheme, strlen(http_scheme)); + strncat(descURL, ipPortStr, strlen(ipPortStr)); + strncat(descURL, alias, strlen(alias)); + descURL[len] = '\0'; UpnpPrintf(UPNP_INFO, API, __FILE__, __LINE__, "desc url: %s\n", descURL);