From 1a8a8228e49b75267d67c4298f765f04ac0b9733 Mon Sep 17 00:00:00 2001 From: Peng Date: Mon, 2 Sep 2013 14:56:11 -0300 Subject: [PATCH] Avoid malicious client exploit to exhaust the device's memory Suppose the UPnP device is listening on 192.168.1.102:49152. Use the following to send garbage bytes to the device: while true; do echo "\""; done | netcat 192.168.1.102 49152 The device just keeps receiving these bytes and its memory usage keeps growing. Malicious client may exploit it to exhaust the device's memory. The attached patch eliminates this possibility. (cherry picked from commit 9a9c4e829ea059bafc80d5fb568223a8b2068b28) --- ChangeLog | 11 +++++++++++ upnp/src/genlib/net/http/httpreadwrite.c | 1 + 2 files changed, 12 insertions(+) diff --git a/ChangeLog b/ChangeLog index c99285f..028f17e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -357,6 +357,17 @@ Version 1.8.0 Version 1.6.19 ******************************************************************************* +2013-09-02 Peng + + Suppose the UPnP device is listening on 192.168.1.102:49152. Use the following to send + garbage bytes to the device: + while true; do echo "\""; done | netcat 192.168.1.102 49152 + + The device just keeps receiving these bytes and its memory usage keeps growing. + Malicious client may exploit it to exhaust the device's memory. + + The attached patch eliminates this possibility. + 2013-09-02 Peng 1) restore the scanner's original cursor position in case of diff --git a/upnp/src/genlib/net/http/httpreadwrite.c b/upnp/src/genlib/net/http/httpreadwrite.c index b872ede..64e991a 100644 --- a/upnp/src/genlib/net/http/httpreadwrite.c +++ b/upnp/src/genlib/net/http/httpreadwrite.c @@ -382,6 +382,7 @@ int http_RecvMessage( ret = 0; goto ExitFunction; case PARSE_FAILURE: + case PARSE_NO_MATCH: *http_error_code = parser->http_error_code; line = __LINE__; ret = UPNP_E_BAD_HTTPMSG;