diff --git a/ChangeLog b/ChangeLog
index 34c5c6f..6b783c4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -332,6 +332,13 @@ Version 1.8.0
 Version 1.6.18
 *******************************************************************************
 
+2012-06-19 Yoichi NAKAYAMA <yoichi.nakayama(at)gmail.com>
+
+	Fix memory leak and access violation in UpnpSendAction(Ex)Async.
+
+	Free buffers after malloc or ixmlPrintNode failure.
+	Free Param->Header before destructing Param.
+
 2012-05-25 Anoop Mohan <anoop.anoop(at)gmail.com>
 
 	This patch fixes a bug in non blocking connect call where the sock
diff --git a/upnp/src/api/upnpapi.c b/upnp/src/api/upnpapi.c
index f231f67..82e73a8 100644
--- a/upnp/src/api/upnpapi.c
+++ b/upnp/src/api/upnpapi.c
@@ -2769,6 +2769,7 @@ int UpnpSendActionAsync(
         malloc( sizeof( struct UpnpNonblockParam ) );
 
     if( Param == NULL ) {
+        ixmlFreeDOMString( tmpStr );
         return UPNP_E_OUTOF_MEMORY;
     }
     memset( Param, 0, sizeof( struct UpnpNonblockParam ) );
@@ -2862,6 +2863,7 @@ int UpnpSendActionExAsync(
 
     tmpStr = ixmlPrintNode( ( IXML_Node * ) Act );
     if( tmpStr == NULL ) {
+        ixmlFreeDOMString( headerStr );
         return UPNP_E_INVALID_ACTION;
     }
 
@@ -2869,6 +2871,8 @@ int UpnpSendActionExAsync(
         ( struct UpnpNonblockParam * )
         malloc( sizeof( struct UpnpNonblockParam ) );
     if( Param == NULL ) {
+        ixmlFreeDOMString( tmpStr );
+        ixmlFreeDOMString( headerStr );
         return UPNP_E_OUTOF_MEMORY;
     }
     memset( Param, 0, sizeof( struct UpnpNonblockParam ) );
@@ -2892,10 +2896,10 @@ int UpnpSendActionExAsync(
 
     retVal = ixmlParseBufferEx( tmpStr, &( Param->Act ) );
     if( retVal != IXML_SUCCESS ) {
+        ixmlDocument_free( Param->Header );
         free( Param );
         ixmlFreeDOMString( tmpStr );
         ixmlFreeDOMString( headerStr );
-        ixmlDocument_free( Param->Header );
         if( retVal == IXML_INSUFFICIENT_MEMORY ) {
             return UPNP_E_OUTOF_MEMORY;
         } else {
diff --git a/upnp/src/gena/gena_device.c b/upnp/src/gena/gena_device.c
index e3b6d2a..13db741 100644
--- a/upnp/src/gena/gena_device.c
+++ b/upnp/src/gena/gena_device.c
@@ -257,14 +257,11 @@ static int genaNotify(
 {
 	size_t i;
 	membuffer mid_msg;
-	membuffer endmsg;
 	uri_type *url;
 	http_parser_t response;
 	int return_code = -1;
 
 	membuffer_init(&mid_msg);
-	/* make 'end' msg (the part that won't vary with the destination) */
-	endmsg.size_inc = 30;
 	if (http_MakeMessage(&mid_msg, 1, 1,
 			     "s" "ssc" "sdcc",
 			     headers,
diff --git a/upnp/src/genlib/miniserver/miniserver.c b/upnp/src/genlib/miniserver/miniserver.c
index af310ca..eae6eca 100644
--- a/upnp/src/genlib/miniserver/miniserver.c
+++ b/upnp/src/genlib/miniserver/miniserver.c
@@ -502,10 +502,14 @@ static int get_miniserver_sockets(
 	MiniServerSockArray *out,
 	/*! [in] port on which the server is listening for incoming IPv4
 	 * connections. */
-	uint16_t listen_port4,
+	uint16_t listen_port4
+#ifdef UPNP_ENABLE_IPV6
+	,
 	/*! [in] port on which the server is listening for incoming IPv6
 	 * connections. */
-	uint16_t listen_port6)
+	uint16_t listen_port6
+#endif
+	)
 {
 	char errorBuffer[ERROR_BUFFER_LEN];
 	struct sockaddr_storage __ss_v4;
@@ -760,10 +764,6 @@ static int get_miniserver_sockets(
 	out->miniServerSock4 = listenfd4;
 #ifdef UPNP_ENABLE_IPV6
 	out->miniServerSock6 = listenfd6;
-#else
-	/* Silence compiler warning message:
-	 * warning: unused parameter ‘listen_port6’ */
-	listen_port6 = 0u;
 #endif
 	return UPNP_E_SUCCESS;
 }
@@ -868,7 +868,11 @@ int StartMiniServer(
 #ifdef INTERNAL_WEB_SERVER
 	/* V4 and V6 http listeners. */
 	ret_code = get_miniserver_sockets(
-		miniSocket, *listen_port4, *listen_port6);
+		miniSocket, *listen_port4
+#ifdef UPNP_ENABLE_IPV6
+		, *listen_port6
+#endif
+		);
 	if (ret_code != UPNP_E_SUCCESS) {
 		free(miniSocket);
 		return ret_code;
diff --git a/upnp/src/genlib/net/http/webserver.c b/upnp/src/genlib/net/http/webserver.c
index eb2294e..99e9cfb 100644
--- a/upnp/src/genlib/net/http/webserver.c
+++ b/upnp/src/genlib/net/http/webserver.c
@@ -493,8 +493,6 @@ int web_server_init()
 
 void web_server_destroy(void)
 {
-	int ret;
-
 	if (bWebServerState == WEB_SERVER_ENABLED) {
 		membuffer_destroy(&gDocumentRootDir);
 		alias_release(&gAliasDoc);
@@ -503,8 +501,7 @@ void web_server_destroy(void)
 		memset(&gAliasDoc, 0, sizeof(struct xml_alias_t));
 		ithread_mutex_unlock(&gWebMutex);
 
-		ret = ithread_mutex_destroy(&gWebMutex);
-		assert(ret == 0);
+		ithread_mutex_destroy(&gWebMutex);
 		bWebServerState = WEB_SERVER_DISABLED;
 	}
 }
diff --git a/upnp/src/ssdp/ssdp_device.c b/upnp/src/ssdp/ssdp_device.c
index d00efb5..c3dbc1f 100644
--- a/upnp/src/ssdp/ssdp_device.c
+++ b/upnp/src/ssdp/ssdp_device.c
@@ -186,7 +186,9 @@ static int NewRequestHandler(
 	unsigned long replyAddr = inet_addr(gIF_IPV4);
 	/* a/c to UPNP Spec */
 	int ttl = 4;
+#ifdef INET_IPV6
 	int hops = 1;
+#endif
 	char buf_ntop[INET6_ADDRSTRLEN];
 	int ret = UPNP_E_SUCCESS;