Remove most of strcpy, sprintf and strcat

Replace strcpy, sprintf and strcat by strncpy, snprintf and strncat to avoid buffer overflows. (forward port of commit 97a17ff5ad)
2012-03-08 10:08:09 +01:00 · 2012-03-08 10:08:09 +01:00 · 0edaf3361d
commit 0edaf3361d
parent beae2ea332
13 changed files with 170 additions and 84 deletions
--- a/7
+++ b/7
@ -318,6 +318,13 @@ Version 1.8.0
 Version 1.6.16
 *******************************************************************************
 2012-03-08 Fabrice Fontaine <fabrice.fontaine(at)orange.com>
 	Remove most of strcpy, sprintf and strcat
 	Replace strcpy, sprintf and strcat by strncpy, snprintf and strncat to
 	avoid buffer overflows.
 2012-03-07 Yoichi NAKAYAMA <yoichi.nakayama(at)gmail.com>
 	SF Bug Tracker id 3497714 - Buffer overflows
--- a/upnp/src/api/upnpapi.c
+++ b/upnp/src/api/upnpapi.c
@ -1500,6 +1500,7 @@ static int GetDescDocumentAndURL(
 	struct sockaddr_storage serverAddr;
 	int rc = UPNP_E_SUCCESS;
 	memset(aliasStr, 0, sizeof(aliasStr));
 	if (description == NULL)
 		return UPNP_E_INVALID_PARAM;
 	/* non-URL description must have configuration specified */
@ -1551,7 +1552,8 @@ static int GetDescDocumentAndURL(
 	/* Determine alias */
 	if (config_baseURL) {
 		if (descriptionType == UPNPREG_BUF_DESC) {
-			strcpy(aliasStr, "description.xml");
+			strncpy(aliasStr, "description.xml",
 				sizeof(aliasStr) - 1);
 		} else {
 			/* URL or filename */
 			retVal = GetNameForAlias(description, &temp_str);
@ -1564,7 +1566,7 @@ static int GetDescDocumentAndURL(
 				free(temp_str);
 				return UPNP_E_URL_TOO_BIG;
 			}
-			strcpy(aliasStr, temp_str);
+			strncpy(aliasStr, temp_str, sizeof(aliasStr) - 1);
 		}
 		if (AddressFamily == AF_INET) {
 			get_server_addr((struct sockaddr *)&serverAddr);
@ -1586,7 +1588,8 @@ static int GetDescDocumentAndURL(
 			ixmlDocument_free(*xmlDoc);
 			return UPNP_E_URL_TOO_BIG;
 		}
-		strcpy(descURL, description);
+		strncpy(descURL, description, strlen(description));
 		descURL[strlen(description)] = '\0';
 	}
 	assert(*xmlDoc != NULL);
@ -1617,7 +1620,8 @@ static int GetDescDocumentAndURL(
 	if (strlen(description) > (LINE_SIZE - 1)) {
 		return UPNP_E_URL_TOO_BIG;
 	}
-	strcpy(descURL, description);
+	strncpy(descURL, description, strlen(description));
 	descURL[strlen(description)] = '\0';
 	retVal = UpnpDownloadXmlDoc(description, xmlDoc);
 	if (retVal != UPNP_E_SUCCESS) {
@ -1986,7 +1990,8 @@ int UpnpSubscribe(
 	HandleUnlock();
 	retVal = genaSubscribe(Hnd, EvtUrl, TimeOut, SubsIdTmp);
-	strcpy(SubsId, UpnpString_get_String(SubsIdTmp));
+	memset(SubsId, 0, sizeof(Upnp_SID));
 	strncpy(SubsId, UpnpString_get_String(SubsIdTmp), sizeof(Upnp_SID) - 1);
 exit_function:
 	UpnpPrintf(UPNP_ALL, API, __FILE__, __LINE__,
@ -3436,7 +3441,9 @@ int UpnpGetIfInfo(const char *IfName)
 		    (struct ifreq *)((caddr_t) ifConf.ifc_req + i);
 		i += sizeof *pifReq;
 		/* See if this is the sort of interface we want to deal with. */
-		strcpy(ifReq.ifr_name, pifReq->ifr_name);
+		memset(ifReq.ifr_name, 0, sizeof(ifReq.ifr_name));
 		strncpy(ifReq.ifr_name, pifReq->ifr_name,
 			sizeof(ifReq.ifr_name) - 1);
 		if (ioctl(LocalSock, SIOCGIFFLAGS, &ifReq) < 0) {
 			UpnpPrintf(UPNP_ALL, API, __FILE__, __LINE__,
 				   "Can't get interface flags for %s:\n",
@ -3868,7 +3875,9 @@ int getlocalhostname(char *out, size_t out_len)
 			(struct ifreq *)((caddr_t)ifConf.ifc_req + i);
 		i += sizeof *pifReq;
 		/* See if this is the sort of interface we want to deal with. */
-		strcpy(ifReq.ifr_name, pifReq->ifr_name);
+		memset(ifReq.ifr_name, 0, sizeof(ifReq.ifr_name));
 		strncpy(ifReq.ifr_name, pifReq->ifr_name,
 			sizeof(ifReq.ifr_name) - 1);
 		if (ioctl(LocalSock, SIOCGIFFLAGS, &ifReq) < 0) {
 			UpnpPrintf(UPNP_ALL, API, __FILE__, __LINE__,
 				"Can't get interface flags for %s:\n",
@ -3948,6 +3957,7 @@ int UpnpAddVirtualDir(const char *newDirName)
    virtualDirList *pCurVirtualDir;
    char dirName[NAME_SIZE];
    memset( dirName, 0, sizeof( dirName ) );
    if( UpnpSdkInit != 1 ) {
        /* SDK is not initialized */
        return UPNP_E_FINISH;
@ -3959,9 +3969,9 @@ int UpnpAddVirtualDir(const char *newDirName)
    if( *newDirName != '/' ) {
        dirName[0] = '/';
-        strcpy( dirName + 1, newDirName );
+        strncpy( dirName + 1, newDirName, sizeof( dirName ) - 1 );
    } else {
-        strcpy( dirName, newDirName );
+        strncpy( dirName, newDirName, sizeof( dirName ) - 1 );
    }
    pCurVirtualDir = pVirtualDirList;
@ -3980,7 +3990,9 @@ int UpnpAddVirtualDir(const char *newDirName)
        return UPNP_E_OUTOF_MEMORY;
    }
    pNewVirtualDir->next = NULL;
-    strcpy( pNewVirtualDir->dirName, dirName );
+    memset( pNewVirtualDir->dirName, 0, sizeof( pNewVirtualDir->dirName ) );
    strncpy( pNewVirtualDir->dirName, dirName,
 	sizeof( pNewVirtualDir->dirName ) - 1);
    *( pNewVirtualDir->dirName + strlen( dirName ) ) = 0;
    if( pVirtualDirList == NULL ) { /* first virtual dir */
--- a/upnp/src/api/upnptools.c
+++ b/upnp/src/api/upnptools.c
@ -2,6 +2,7 @@
 *
 * Copyright (c) 2000-2003 Intel Corporation 
 * All rights reserved. 
 * Copyright (c) 2012 France Telecom All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without 
 * modification, are permitted provided that the following conditions are met: 
@ -218,13 +219,14 @@ static int addToAction(
 		if (ActBuff == NULL) {
 			return UPNP_E_OUTOF_MEMORY;
 		}
 		memset(ActBuff, 0, HEADER_LENGTH);
 		if (response) {
-			sprintf(ActBuff,
+			snprintf(ActBuff, HEADER_LENGTH - 1,
 				"<u:%sResponse xmlns:u=\"%s\">\r\n</u:%sResponse>",
 				ActionName, ServType, ActionName);
 		} else {
-			sprintf(ActBuff,
+			snprintf(ActBuff, HEADER_LENGTH - 1,
 				"<u:%s xmlns:u=\"%s\">\r\n</u:%s>",
 				ActionName, ServType, ActionName);
 		}
@ -291,13 +293,14 @@ static IXML_Document *makeAction(
 	if (ActBuff == NULL) {
 		return NULL;
 	}
 	memset(ActBuff, 0, HEADER_LENGTH);
 	if (response) {
-		sprintf(ActBuff,
+		snprintf(ActBuff, HEADER_LENGTH - 1,
 			"<u:%sResponse xmlns:u=\"%s\">\r\n</u:%sResponse>",
 			ActionName, ServType, ActionName);
 	} else {
-		sprintf(ActBuff,
+		snprintf(ActBuff, HEADER_LENGTH - 1,
 			"<u:%s xmlns:u=\"%s\">\r\n</u:%s>",
 			ActionName, ServType, ActionName);
 	}
--- a/upnp/src/gena/gena_ctrlpt.c
+++ b/upnp/src/gena/gena_ctrlpt.c
@ -284,6 +284,7 @@ static int gena_subscribe(
 	uri_type dest_url;
 	http_parser_t response;
 	memset(timeout_str, 0, sizeof(timeout_str));
 	UpnpString_clear(sid);
 	/* request timeout to string */
@ -291,11 +292,12 @@ static int gena_subscribe(
 		timeout = &local_timeout;
 	}
 	if (*timeout < 0) {
-		strcpy(timeout_str, "infinite");
+		strncpy(timeout_str, "infinite", sizeof(timeout_str) - 1);
 	} else if(*timeout < CP_MINIMUM_SUBSCRIPTION_TIME) {
-		sprintf(timeout_str, "%d", CP_MINIMUM_SUBSCRIPTION_TIME);
+		snprintf(timeout_str, sizeof(timeout_str) - 1,
 			"%d", CP_MINIMUM_SUBSCRIPTION_TIME);
 	} else {
-		sprintf(timeout_str, "%d", *timeout);
+		snprintf(timeout_str, sizeof(timeout_str) - 1, "%d", *timeout);
 	}
 	/* parse url */
@ -513,6 +515,9 @@ int genaSubscribe(
 	UpnpString *EventURL = UpnpString_new();
 	struct Handle_Info *handle_info;
 	memset(temp_sid, 0, sizeof(temp_sid));
 	memset(temp_sid2, 0, sizeof(temp_sid2));
 	UpnpPrintf(UPNP_INFO, GENA, __FILE__, __LINE__, "GENA SUBSCRIBE BEGIN");
 	UpnpString_clear(out_sid);
@ -545,7 +550,7 @@ int genaSubscribe(
 	/* generate client SID */
 	uuid_create(&uid );
 	uuid_unpack(&uid, temp_sid);
-	sprintf(temp_sid2, "uuid:%s", temp_sid);
+	snprintf(temp_sid2, sizeof(temp_sid2) - 1, "uuid:%s", temp_sid);
 	UpnpString_set_String(out_sid, temp_sid2);
 	/* create event url */
--- a/upnp/src/gena/gena_device.c
+++ b/upnp/src/gena/gena_device.c
@ -493,8 +493,10 @@ int genaInitNotify(
 		goto ExitFunction;
 	}
-	strcpy(UDN_copy, UDN);
+	memset(UDN_copy, 0, strlen(UDN) + 1);
-	strcpy(servId_copy, servId);
+	strncpy(UDN_copy, UDN, strlen(UDN));
 	memset(servId_copy, 0, strlen(servId) + 1);
 	strncpy(servId_copy, servId, strlen(servId));
 	HandleLock();
@ -650,8 +652,10 @@ int genaInitNotifyExt(
 		goto ExitFunction;
 	}
-	strcpy(UDN_copy, UDN);
+	memset(UDN_copy, 0, strlen(UDN) + 1);
-	strcpy(servId_copy, servId);
+	strncpy(UDN_copy, UDN, strlen(UDN));
 	memset(servId_copy, 0, strlen(servId) + 1);
 	strncpy(servId_copy, servId, strlen(servId));
 	HandleLock();
@ -807,8 +811,10 @@ int genaNotifyAllExt(
 		goto ExitFunction;
 	}
-	strcpy(UDN_copy, UDN);
+	memset(UDN_copy, 0, strlen(UDN) + 1);
-	strcpy(servId_copy, servId);
+	strncpy(UDN_copy, UDN, strlen(UDN));
 	memset(servId_copy, 0, strlen(servId) + 1);
 	strncpy(servId_copy, servId, strlen(servId));
 	propertySet = ixmlPrintNode((IXML_Node *)PropSet);
 	if (propertySet == NULL) {
@ -951,8 +957,10 @@ int genaNotifyAll(
 		goto ExitFunction;
 	}
-	strcpy(UDN_copy, UDN);
+	memset(UDN_copy, 0, strlen(UDN) + 1);
-	strcpy(servId_copy, servId);
+	strncpy(UDN_copy, UDN, strlen(UDN));
 	memset(servId_copy, 0, strlen(servId) + 1);
 	strncpy(servId_copy, servId, strlen(servId));
 	ret = GeneratePropertySet(VarNames, VarValues, var_count, &propertySet);
 	if (ret != XML_SUCCESS) {
@ -1067,13 +1075,16 @@ static int respond_ok(
    char timeout_str[100];
    int upnp_timeout = UPNP_TIMEOUT;
    memset( timeout_str, 0, sizeof( timeout_str ) );
    http_CalcResponseVersion( request->major_version,
                              request->minor_version, &major, &minor );
    if( time_out >= 0 ) {
-        sprintf( timeout_str, "TIMEOUT: Second-%d", time_out );
+        snprintf( timeout_str, sizeof ( timeout_str ) - 1,
 		"TIMEOUT: Second-%d", time_out );
    } else {
-        strcpy( timeout_str, "TIMEOUT: Second-infinite" );
+        strncpy( timeout_str, "TIMEOUT: Second-infinite",
 		sizeof ( timeout_str ) - 1 );
    }
    membuffer_init( &response );
@ -1335,7 +1346,8 @@ void gena_process_subscription_request(
 	/* generate SID */
 	uuid_create(&uid);
 	uuid_unpack(&uid, temp_sid);
-	sprintf(sub->sid, "uuid:%s", temp_sid);
+	memset(sub->sid, 0, sizeof(sub->sid));
 	snprintf(sub->sid, sizeof(sub->sid) - 1, "uuid:%s", temp_sid);
 	/* respond OK */
 	if (respond_ok(info, time_out, sub, request) != UPNP_E_SUCCESS) {
--- a/upnp/src/genlib/net/http/httpreadwrite.c
+++ b/upnp/src/genlib/net/http/httpreadwrite.c
@ -430,6 +430,7 @@ int http_SendMessage(SOCKINFO *info, int *TimeOut, const char *fmt, ...)
 	/* 10 byte allocated for chunk header. */
 	size_t Data_Buf_Size = WEB_SERVER_BUF_SIZE;
 	memset(Chunk_Header, 0, sizeof(Chunk_Header));
 	va_start(argp, fmt);
 	while ((c = *fmt++) != 0) {
 		if (c == 'I') {
@ -507,9 +508,13 @@ int http_SendMessage(SOCKINFO *info, int *TimeOut, const char *fmt, ...)
 					/* Copy CRLF at the end of the chunk */
 					memcpy(file_buf + num_read, "\r\n", 2);
 					/* Hex length for the chunk size. */
-					sprintf(Chunk_Header, "%" PRIzx, num_read);
+					memset(Chunk_Header, 0,
 						sizeof(Chunk_Header));
 					snprintf(Chunk_Header,
 						sizeof(Chunk_Header) - strlen ("\r\n") - 1,
 						"%" PRIzx, num_read);
 					/*itoa(num_read,Chunk_Header,16);  */
-					strcat(Chunk_Header, "\r\n");
+					strncat(Chunk_Header, "\r\n", strlen ("\r\n"));
 					/* Copy the chunk size header  */
 					memcpy(file_buf - strlen(Chunk_Header),
 					       Chunk_Header,
@ -696,7 +701,8 @@ int http_Download( IN const char *url_str,
 		return ret_code;
 	/* make msg */
 	membuffer_init(&request);
-	strcpy(urlPath, url_str);
+	memset(urlPath, 0, strlen(url_str) + 1);
 	strncpy(urlPath, url_str, strlen(url_str));
 	hoststr = strstr(urlPath, "//");
 	if (hoststr == NULL)
 		return UPNP_E_INVALID_URL;
@ -1434,6 +1440,7 @@ int http_MakeMessage(membuffer *buf, int http_major_version,
 	const char *month_str = "Jan\0Feb\0Mar\0Apr\0May\0Jun\0"
 	    "Jul\0Aug\0Sep\0Oct\0Nov\0Dec";
 	memset(tempbuf, 0, sizeof(tempbuf));
 	va_start(argp, fmt);
 	while ((c = *fmt++) != 0) {
 		if (c == 's') {
@ -1475,13 +1482,14 @@ int http_MakeMessage(membuffer *buf, int http_major_version,
 		} else if (c == 'd') {
 			/* integer */
 			num = (size_t)va_arg(argp, int);
-			sprintf(tempbuf, "%" PRIzu, num);
+			snprintf(tempbuf, sizeof(tempbuf) - 1, "%" PRIzu, num);
 			if (membuffer_append(buf, tempbuf, strlen(tempbuf)))
 				goto error_handler;
 		} else if (c == 'h') {
 			/* off_t */
 			bignum = (off_t) va_arg(argp, off_t);
-			sprintf(tempbuf, "%" PRId64, (int64_t) bignum);
+			snprintf(tempbuf, sizeof(tempbuf) - 1, "%" PRId64,
 				(int64_t) bignum);
 			if (membuffer_append(buf, tempbuf, strlen(tempbuf)))
 				goto error_handler;
 		} else if (c == 't' || c == 'D') {
@ -1499,7 +1507,7 @@ int http_MakeMessage(membuffer *buf, int http_major_version,
 			}
 			assert(loc_time);
 			date = gmtime(loc_time);
-			sprintf(tempbuf,
+			snprintf(tempbuf, sizeof(tempbuf) - 1,
 				"%s%s, %02d %s %d %02d:%02d:%02d GMT%s",
 				start_str, &weekday_str[date->tm_wday * 4],
 				date->tm_mday, &month_str[date->tm_mon * 4],
@ -1556,7 +1564,7 @@ int http_MakeMessage(membuffer *buf, int http_major_version,
 			/*   e.g.: 'HTTP/1.1 200 OK' code */
 			status_code = (int)va_arg(argp, int);
 			assert(status_code > 0);
-			sprintf(tempbuf, "HTTP/%d.%d %d ",
+			snprintf(tempbuf, sizeof(tempbuf) - 1, "HTTP/%d.%d %d ",
 				http_major_version, http_minor_version,
 				status_code);
 			/* str */
@ -1567,7 +1575,7 @@ int http_MakeMessage(membuffer *buf, int http_major_version,
 		} else if (c == 'B') {
 			/* body of a simple reply */
 			status_code = (int)va_arg(argp, int);
-			sprintf(tempbuf, "%s%d %s%s",
+			snprintf(tempbuf, sizeof(tempbuf) - 1, "%s%d %s%s",
 				"<html><body><h1>",
 				status_code, http_get_code_text(status_code),
 				"</h1></body></html>");
@ -1702,7 +1710,7 @@ int MakeGetMessageEx( const char *url_str,
 			break;
 		}
 		memset(urlPath, 0, strlen(url_str) + 1);
-		strcpy(urlPath, url_str);
+		strncpy(urlPath, url_str, strlen(url_str));
 		hoststr = strstr(urlPath, "//");
 		if (hoststr == NULL) {
 			errCode = UPNP_E_INVALID_URL;
@ -1806,7 +1814,8 @@ int http_OpenHttpGetEx(
 			break;
 		}
 		memset(&rangeBuf, 0, sizeof(rangeBuf));
-		sprintf(rangeBuf.RangeHeader,
+		snprintf(rangeBuf.RangeHeader,
 			sizeof(rangeBuf.RangeHeader) - 1,
 			"Range: bytes=%d-%d\r\n", lowRange, highRange);
 		membuffer_init(&request);
 		errCode = MakeGetMessageEx(url_str, &request, &url, &rangeBuf);
--- a/upnp/src/genlib/net/http/webserver.c
+++ b/upnp/src/genlib/net/http/webserver.c
@ -318,6 +318,7 @@ static UPNP_INLINE int get_content_type(
 	temp = malloc(length);
 	if (!temp)
 		return UPNP_E_OUTOF_MEMORY;
 	memset(temp, 0, length);
 	sprintf(temp, "%s/%s", type, subtype);
 	UpnpFileInfo_set_ContentType(fileInfo, temp);
 	free(temp);
@ -773,7 +774,8 @@ static int CreateHTTPRangeResponseHeader(
 	RangeInput = malloc(strlen(ByteRangeSpecifier) + 1);
 	if (!RangeInput)
 		return UPNP_E_OUTOF_MEMORY;
-	strcpy(RangeInput, ByteRangeSpecifier);
+	memset(RangeInput, 0, strlen(ByteRangeSpecifier) + 1);
 	strncpy(RangeInput, ByteRangeSpecifier, strlen(ByteRangeSpecifier));
 	/* CONTENT-RANGE: bytes 222-3333/4000  HTTP_PARTIAL_CONTENT */
 	if (StrStr(RangeInput, "bytes") == NULL ||
 	    (Ptr = StrStr(RangeInput, "=")) == NULL) {
@ -792,13 +794,15 @@ static int CreateHTTPRangeResponseHeader(
 			free(RangeInput);
 			return HTTP_REQUEST_RANGE_NOT_SATISFIABLE;
 		}
 		memset(Instr->RangeHeader, 0, sizeof(Instr->RangeHeader));
 		if (FirstByte >= 0 && LastByte >= 0 && LastByte >= FirstByte) {
 			if (LastByte >= FileLength)
 				LastByte = FileLength - 1;
 			Instr->RangeOffset = FirstByte;
 			Instr->ReadSendSize = LastByte - FirstByte + 1;
 			/* Data between two range. */
-			sprintf(Instr->RangeHeader,
+			snprintf(Instr->RangeHeader,
 				sizeof(Instr->RangeHeader) - 1,
 				"CONTENT-RANGE: bytes %" PRId64
 				"-%" PRId64 "/%" PRId64 "\r\n",
 				(int64_t)FirstByte,
@ -808,7 +812,10 @@ static int CreateHTTPRangeResponseHeader(
 			   && FirstByte < FileLength) {
 			Instr->RangeOffset = FirstByte;
 			Instr->ReadSendSize = FileLength - FirstByte;
-			sprintf(Instr->RangeHeader,
+			memset(Instr->RangeHeader, 0,
 				sizeof(Instr->RangeHeader));
 			snprintf(Instr->RangeHeader,
 				sizeof(Instr->RangeHeader) - 1,
 				"CONTENT-RANGE: bytes %" PRId64
 				"-%" PRId64 "/%" PRId64 "\r\n",
 				(int64_t)FirstByte,
@ -818,7 +825,8 @@ static int CreateHTTPRangeResponseHeader(
 			if (LastByte >= FileLength) {
 				Instr->RangeOffset = 0;
 				Instr->ReadSendSize = FileLength;
-				sprintf(Instr->RangeHeader,
+				snprintf(Instr->RangeHeader,
 					sizeof(Instr->RangeHeader) - 1,
 					"CONTENT-RANGE: bytes 0-%" PRId64
 					"/%" PRId64 "\r\n",
 					(int64_t)(FileLength - 1),
@ -826,7 +834,8 @@ static int CreateHTTPRangeResponseHeader(
 			} else {
 				Instr->RangeOffset = FileLength - LastByte;
 				Instr->ReadSendSize = LastByte;
-				sprintf(Instr->RangeHeader,
+				snprintf(Instr->RangeHeader,
 					sizeof(Instr->RangeHeader) - 1,
 					"CONTENT-RANGE: bytes %" PRId64
 					"-%" PRId64 "/%" PRId64 "\r\n",
 					(int64_t)(FileLength - LastByte + 1),
--- a/upnp/src/genlib/net/uri/uri.c
+++ b/upnp/src/genlib/net/uri/uri.c
@ -2,6 +2,7 @@
 *
 * Copyright (c) 2000-2003 Intel Corporation 
 * All rights reserved. 
 * Copyright (c) 2012 France Telecom All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without 
 * modification, are permitted provided that the following conditions are met: 
@ -589,12 +590,13 @@ char *resolve_rel_url(char *base_url, char *rel_url)
    if( out == NULL ) {
        return NULL;
    }
    memset( out, 0, strlen( base_url ) + strlen( rel_url ) + 2 );
    if( ( parse_uri( rel_url, strlen( rel_url ), &rel ) ) == HTTP_SUCCESS ) {
        if( rel.type == ABSOLUTE ) {
-            strcpy( out, rel_url );
+            strncpy( out, rel_url, strlen ( rel_url ) );
        } else {
            if( ( parse_uri( base_url, strlen( base_url ), &base ) ==
@ -602,7 +604,7 @@ char *resolve_rel_url(char *base_url, char *rel_url)
                && ( base.type == ABSOLUTE ) ) {
                if( strlen( rel_url ) == 0 ) {
-                    strcpy( out, base_url );
+                    strncpy( out, base_url, strlen ( base_url ) );
                } else {
                    memcpy( out, base.scheme.buff, base.scheme.size );
                    out_finger += base.scheme.size;
@ -610,7 +612,7 @@ char *resolve_rel_url(char *base_url, char *rel_url)
                    out_finger++;
                    if( rel.hostport.text.size > 0 ) {
-                        sprintf( out_finger, "%s", rel_url );
+                        snprintf( out_finger, strlen( rel_url ), "%s", rel_url );
                    } else {
                        if( base.hostport.text.size > 0 ) {
                            memcpy( out_finger, "//", 2 );
@ -621,7 +623,7 @@ char *resolve_rel_url(char *base_url, char *rel_url)
                        }
                        if( rel.path_type == ABS_PATH ) {
-                            strcpy( out_finger, rel_url );
+                            strncpy( out_finger, rel_url, strlen ( rel_url ) );
                        } else {
@ -642,7 +644,7 @@ char *resolve_rel_url(char *base_url, char *rel_url)
                                finger++;
                            }
-                            strcpy( last_slash, rel_url );
+                            strncpy( last_slash, rel_url, strlen ( rel_url ) );
                            if( remove_dots( out_finger,
                                             strlen( out_finger ) ) !=
                                UPNP_E_SUCCESS ) {
--- a/upnp/src/soap/soap_device.c
+++ b/upnp/src/soap/soap_device.c
@ -194,7 +194,8 @@ static void send_error_response(
 	char err_code_str[30];
 	membuffer headers;
-	sprintf(err_code_str, "%d", error_code);
+	memset(err_code_str, 0, sizeof(err_code_str));
 	snprintf(err_code_str, sizeof(err_code_str) - 1, "%d", error_code);
 	/* calc body len */
 	content_length = (off_t) (strlen(start_body) + strlen(err_code_str) +
 				  strlen(mid_body) + strlen(err_msg) +
--- a/upnp/src/ssdp/ssdp_ctrlpt.c
+++ b/upnp/src/ssdp/ssdp_ctrlpt.c
@ -327,24 +327,27 @@ static void CreateClientRequestPacket(
 {
 	char TempBuf[COMMAND_LEN];
 	memset(TempBuf, 0, sizeof(TempBuf));
 	strcpy(RqstBuf, "M-SEARCH * HTTP/1.1\r\n");
 	if (AddressFamily == AF_INET) {
-		sprintf(TempBuf, "HOST: %s:%d\r\n", SSDP_IP, SSDP_PORT);
+		snprintf(TempBuf, sizeof(TempBuf) - 1, "HOST: %s:%d\r\n",
 			SSDP_IP, SSDP_PORT);
 	} else if (AddressFamily == AF_INET6) {
-		sprintf(TempBuf, "HOST: [%s]:%d\r\n", SSDP_IPV6_LINKLOCAL,
+		snprintf(TempBuf, sizeof(TempBuf) - 1, "HOST: [%s]:%d\r\n",
-			SSDP_PORT);
+			SSDP_IPV6_LINKLOCAL, SSDP_PORT);
 	}
 	strcat(RqstBuf, TempBuf);
 	strcat(RqstBuf, "MAN: \"ssdp:discover\"\r\n");
 	if (Mx > 0) {
-		sprintf(TempBuf, "MX: %d\r\n", Mx);
+		snprintf(TempBuf, sizeof(TempBuf) - 1, "MX: %d\r\n", Mx);
 		strcat(RqstBuf, TempBuf);
 	}
 	if (SearchTarget != NULL) {
-		sprintf(TempBuf, "ST: %s\r\n", SearchTarget);
+		snprintf(TempBuf, sizeof(TempBuf) - 1, "ST: %s\r\n",
 			SearchTarget);
 		strcat(RqstBuf, TempBuf);
 	}
 	strcat(RqstBuf, "\r\n");
@ -365,21 +368,24 @@ static void CreateClientRequestPacketUlaGua(
 {
 	char TempBuf[COMMAND_LEN];
 	memset(TempBuf, 0, sizeof(TempBuf));
 	strcpy(RqstBuf, "M-SEARCH * HTTP/1.1\r\n");
 	if (AddressFamily == AF_INET) {
-		sprintf(TempBuf, "HOST: %s:%d\r\n", SSDP_IP, SSDP_PORT);
+		snprintf(TempBuf, sizeof(TempBuf) - 1, "HOST: %s:%d\r\n",
 			SSDP_IP, SSDP_PORT);
 	} else if (AddressFamily == AF_INET6) {
-		sprintf(TempBuf, "HOST: [%s]:%d\r\n", SSDP_IPV6_SITELOCAL,
+		snprintf(TempBuf, sizeof(TempBuf) - 1, "HOST: [%s]:%d\r\n",
-			SSDP_PORT);
+			SSDP_IPV6_SITELOCAL, SSDP_PORT);
 	}
 	strcat(RqstBuf, TempBuf);
 	strcat(RqstBuf, "MAN: \"ssdp:discover\"\r\n");
 	if (Mx > 0) {
-		sprintf(TempBuf, "MX: %d\r\n", Mx);
+		snprintf(TempBuf, sizeof(TempBuf) - 1, "MX: %d\r\n", Mx);
 		strcat(RqstBuf, TempBuf);
 	}
 	if (SearchTarget) {
-		sprintf(TempBuf, "ST: %s\r\n", SearchTarget);
+		snprintf(TempBuf, sizeof(TempBuf) - 1, "ST: %s\r\n",
 			SearchTarget);
 		strcat(RqstBuf, TempBuf);
 	}
 	strcat(RqstBuf, "\r\n");
--- a/upnp/src/ssdp/ssdp_device.c
+++ b/upnp/src/ssdp/ssdp_device.c
@ -440,6 +440,7 @@ int DeviceAdvertisement(char *DevType, int RootDev, char *Udn, char *Location,
 	UpnpPrintf(UPNP_INFO, SSDP, __FILE__, __LINE__,
 		   "In function DeviceAdvertisement\n");
 	memset(&__ss, 0, sizeof(__ss));
 	memset(Mil_Usn, 0, sizeof(Mil_Usn));
 	if (AddressFamily == AF_INET) {
 		DestAddr4->sin_family = AF_INET;
 		inet_pton(AF_INET, SSDP_IP, &DestAddr4->sin_addr);
@ -461,7 +462,8 @@ int DeviceAdvertisement(char *DevType, int RootDev, char *Udn, char *Location,
 	/* If deviceis a root device , here we need to send 3 advertisement
 	 * or reply */
 	if (RootDev) {
-		sprintf(Mil_Usn, "%s::upnp:rootdevice", Udn);
+		snprintf(Mil_Usn, sizeof(Mil_Usn) - 1,
 			"%s::upnp:rootdevice", Udn);
 		CreateServicePacket(MSGTYPE_ADVERTISEMENT, "upnp:rootdevice",
 				    Mil_Usn, Location, Duration, &msgs[0],
 				    AddressFamily, PowerState, SleepPeriod,
@ -471,7 +473,7 @@ int DeviceAdvertisement(char *DevType, int RootDev, char *Udn, char *Location,
 	CreateServicePacket(MSGTYPE_ADVERTISEMENT, Udn, Udn,
 			    Location, Duration, &msgs[1], AddressFamily,
 			    PowerState, SleepPeriod, RegistrationState);
-	sprintf(Mil_Usn, "%s::%s", Udn, DevType);
+	snprintf(Mil_Usn, sizeof(Mil_Usn) - 1, "%s::%s", Udn, DevType);
 	CreateServicePacket(MSGTYPE_ADVERTISEMENT, DevType, Mil_Usn,
 			    Location, Duration, &msgs[2], AddressFamily,
 			    PowerState, SleepPeriod, RegistrationState);
@ -513,11 +515,13 @@ int SendReply(struct sockaddr *DestAddr, char *DevType, int RootDev,
 	msgs[0] = NULL;
 	msgs[1] = NULL;
 	memset(Mil_Usn, 0, sizeof(Mil_Usn));
 	if (RootDev) {
 		/* one msg for root device */
 		num_msgs = 1;
-		sprintf(Mil_Usn, "%s::upnp:rootdevice", Udn);
+		snprintf(Mil_Usn, sizeof(Mil_Usn) - 1, "%s::upnp:rootdevice",
 			Udn);
 		CreateServicePacket(MSGTYPE_REPLY, "upnp:rootdevice",
 				    Mil_Usn, Location, Duration, &msgs[0],
 				    DestAddr->sa_family, PowerState,
@ -533,7 +537,8 @@ int SendReply(struct sockaddr *DestAddr, char *DevType, int RootDev,
 					    DestAddr->sa_family, PowerState,
 					    SleepPeriod, RegistrationState);
 		} else {
-			sprintf(Mil_Usn, "%s::%s", Udn, DevType);
+			snprintf(Mil_Usn, sizeof(Mil_Usn) - 1, "%s::%s", Udn,
 				DevType);
 			CreateServicePacket(MSGTYPE_REPLY, DevType, Mil_Usn,
 					    Location, Duration, &msgs[0],
 					    DestAddr->sa_family, PowerState,
@ -567,23 +572,26 @@ int DeviceReply(struct sockaddr *DestAddr, char *DevType, int RootDev,
 	szReq[0] = NULL;
 	szReq[1] = NULL;
 	szReq[2] = NULL;
 	memset(Mil_Nt, 0, sizeof(Mil_Nt));
 	memset(Mil_Usn, 0, sizeof(Mil_Usn));
 	/* create 2 or 3 msgs */
 	if (RootDev) {
 		/* 3 replies for root device */
-		strcpy(Mil_Nt, "upnp:rootdevice");
+		strncpy(Mil_Nt, "upnp:rootdevice", sizeof(Mil_Nt) - 1);
-		sprintf(Mil_Usn, "%s::upnp:rootdevice", Udn);
+		snprintf(Mil_Usn, sizeof(Mil_Usn) - 1, "%s::upnp:rootdevice",
 			Udn);
 		CreateServicePacket(MSGTYPE_REPLY, Mil_Nt, Mil_Usn,
 				    Location, Duration, &szReq[0],
 				    DestAddr->sa_family, PowerState,
 				    SleepPeriod, RegistrationState);
 	}
-	sprintf(Mil_Nt, "%s", Udn);
+	snprintf(Mil_Nt, sizeof(Mil_Nt) - 1, "%s", Udn);
-	sprintf(Mil_Usn, "%s", Udn);
+	snprintf(Mil_Usn, sizeof(Mil_Usn) - 1, "%s", Udn);
 	CreateServicePacket(MSGTYPE_REPLY, Mil_Nt, Mil_Usn,
 			    Location, Duration, &szReq[1], DestAddr->sa_family,
 			    PowerState, SleepPeriod, RegistrationState);
-	sprintf(Mil_Nt, "%s", DevType);
+	snprintf(Mil_Nt, sizeof(Mil_Nt) - 1, "%s", DevType);
-	sprintf(Mil_Usn, "%s::%s", Udn, DevType);
+	snprintf(Mil_Usn, sizeof(Mil_Usn) - 1, "%s::%s", Udn, DevType);
 	CreateServicePacket(MSGTYPE_REPLY, Mil_Nt, Mil_Usn,
 			    Location, Duration, &szReq[2], DestAddr->sa_family,
 			    PowerState, SleepPeriod, RegistrationState);
@ -621,6 +629,7 @@ int ServiceAdvertisement(char *Udn, char *ServType, char *Location,
 	struct sockaddr_in6 *DestAddr6 = (struct sockaddr_in6 *)&__ss;
 	memset(&__ss, 0, sizeof(__ss));
 	memset(Mil_Usn, 0, sizeof(Mil_Usn));
 	if (AddressFamily == AF_INET) {
 		DestAddr4->sin_family = AF_INET;
 		inet_pton(AF_INET, SSDP_IP, &DestAddr4->sin_addr);
@ -636,7 +645,7 @@ int ServiceAdvertisement(char *Udn, char *ServType, char *Location,
 		UpnpPrintf(UPNP_CRITICAL, SSDP, __FILE__, __LINE__,
 			   "Invalid device address family.\n");
 	}
-	sprintf(Mil_Usn, "%s::%s", Udn, ServType);
+	snprintf(Mil_Usn, sizeof(Mil_Usn) - 1,"%s::%s", Udn, ServType);
 	/* CreateServiceRequestPacket(1,szReq[0],Mil_Nt,Mil_Usn,
 	 * Server,Location,Duration); */
 	CreateServicePacket(MSGTYPE_ADVERTISEMENT, ServType, Mil_Usn,
@ -659,8 +668,9 @@ int ServiceReply(struct sockaddr *DestAddr, char *ServType, char *Udn,
 	char *szReq[1];
 	int RetVal;
 	memset(Mil_Usn, 0, sizeof(Mil_Usn));
 	szReq[0] = NULL;
-	sprintf(Mil_Usn, "%s::%s", Udn, ServType);
+	snprintf(Mil_Usn, sizeof(Mil_Usn) - 1, "%s::%s", Udn, ServType);
 	CreateServicePacket(MSGTYPE_REPLY, ServType, Mil_Usn,
 			    Location, Duration, &szReq[0], DestAddr->sa_family,
 			    PowerState, SleepPeriod, RegistrationState);
@ -684,6 +694,7 @@ int ServiceShutdown(char *Udn, char *ServType, char *Location, int Duration,
 	int RetVal = UPNP_E_SUCCESS;
 	memset(&__ss, 0, sizeof(__ss));
 	memset(Mil_Usn, 0, sizeof(Mil_Usn));
 	if (AddressFamily == AF_INET) {
 		DestAddr4->sin_family = AF_INET;
 		inet_pton(AF_INET, SSDP_IP, &DestAddr4->sin_addr);
@ -700,7 +711,7 @@ int ServiceShutdown(char *Udn, char *ServType, char *Location, int Duration,
 			   "Invalid device address family.\n");
 	}
 	/* sprintf(Mil_Nt,"%s",ServType); */
-	sprintf(Mil_Usn, "%s::%s", Udn, ServType);
+	snprintf(Mil_Usn, sizeof(Mil_Usn) - 1, "%s::%s", Udn, ServType);
 	/* CreateServiceRequestPacket(0,szReq[0],Mil_Nt,Mil_Usn,
 	 * Server,Location,Duration); */
 	CreateServicePacket(MSGTYPE_SHUTDOWN, ServType, Mil_Usn,
@ -729,6 +740,7 @@ int DeviceShutdown(char *DevType, int RootDev, char *Udn, char *_Server,
 	msgs[1] = NULL;
 	msgs[2] = NULL;
 	memset(&__ss, 0, sizeof(__ss));
 	memset(Mil_Usn, 0, sizeof(Mil_Usn));
 	if (AddressFamily == AF_INET) {
 		DestAddr4->sin_family = AF_INET;
 		inet_pton(AF_INET, SSDP_IP, &DestAddr4->sin_addr);
@ -746,7 +758,8 @@ int DeviceShutdown(char *DevType, int RootDev, char *Udn, char *_Server,
 	}
 	/* root device has one extra msg */
 	if (RootDev) {
-		sprintf(Mil_Usn, "%s::upnp:rootdevice", Udn);
+		snprintf(Mil_Usn, sizeof(Mil_Usn) - 1, "%s::upnp:rootdevice",
 			Udn);
 		CreateServicePacket(MSGTYPE_SHUTDOWN, "upnp:rootdevice",
 				    Mil_Usn, Location, Duration, &msgs[0],
 				    AddressFamily, PowerState, SleepPeriod,
@ -758,7 +771,7 @@ int DeviceShutdown(char *DevType, int RootDev, char *Udn, char *_Server,
 	CreateServicePacket(MSGTYPE_SHUTDOWN, Udn, Udn,
 			    Location, Duration, &msgs[1], AddressFamily,
 			    PowerState, SleepPeriod, RegistrationState);
-	sprintf(Mil_Usn, "%s::%s", Udn, DevType);
+	snprintf(Mil_Usn, sizeof(Mil_Usn) - 1, "%s::%s", Udn, DevType);
 	CreateServicePacket(MSGTYPE_SHUTDOWN, DevType, Mil_Usn,
 			    Location, Duration, &msgs[2], AddressFamily,
 			    PowerState, SleepPeriod, RegistrationState);
--- a/upnp/src/ssdp/ssdp_server.c
+++ b/upnp/src/ssdp/ssdp_server.c
@ -467,8 +467,11 @@ int unique_service_name(char *cmd, SsdpEvent *Evt)
 			ptr3 = strstr(ptr2 + 1, ":");
 		else
 			return -1;
-		if (ptr3 != NULL)
+		if (ptr3 != NULL) {
-			sprintf(Evt->UDN, "uuid:%s", ptr3 + 1);
+			memset(Evt->UDN, 0, sizeof(Evt->UDN));
 			snprintf(Evt->UDN, sizeof(Evt->UDN) - 1,
 				"uuid:%s", ptr3 + 1);
 		}
 		else
 			return -1;
 		ptr1 = strstr(cmd, ":");
@ -476,7 +479,9 @@ int unique_service_name(char *cmd, SsdpEvent *Evt)
 			n = (size_t) (ptr3 - ptr1);
 			strncpy(TempBuf, ptr1, n);
 			TempBuf[n] = '\0';
-			sprintf(Evt->DeviceType, "urn%s", TempBuf);
+			memset(Evt->DeviceType, 0, sizeof(Evt->DeviceType));
 			snprintf(Evt->DeviceType, sizeof(Evt->DeviceType) - 1,
 				"urn%s", TempBuf);
 		} else
 			return -1;
 		return 0;
--- a/upnp/src/urlconfig/urlconfig.c
+++ b/upnp/src/urlconfig/urlconfig.c
@ -133,9 +133,10 @@ static UPNP_INLINE int calc_alias(
 	alias_temp = malloc(new_alias_len + 1);
 	if (alias_temp == NULL)
 		return UPNP_E_OUTOF_MEMORY;
-	strcpy(alias_temp, rootPath);
+	memset(alias_temp, 0, new_alias_len + 1);
-	strcat(alias_temp, temp_str);
+	strncpy(alias_temp, rootPath, root_len);
-	strcat(alias_temp, aliasPtr);
+	strncat(alias_temp, temp_str, strlen(temp_str));
 	strncat(alias_temp, aliasPtr, strlen(aliasPtr));
 	*newAlias = alias_temp;
 	return UPNP_E_SUCCESS;
@ -173,9 +174,10 @@ static UPNP_INLINE int calc_descURL(
 	len = strlen(http_scheme) + strlen(ipPortStr) + strlen(alias);
 	if (len > (LINE_SIZE - 1))
 		return UPNP_E_URL_TOO_BIG;
-	strcpy(descURL, http_scheme);
+	strncpy(descURL, http_scheme, strlen(http_scheme));
-	strcat(descURL, ipPortStr);
+	strncat(descURL, ipPortStr, strlen(ipPortStr));
-	strcat(descURL, alias);
+	strncat(descURL, alias, strlen(alias));
 	descURL[len] = '\0';
 	UpnpPrintf(UPNP_INFO, API, __FILE__, __LINE__,
 		   "desc url: %s\n", descURL);