From f67de332a18010e7f54f0d276c0ef7ee304327e1 Mon Sep 17 00:00:00 2001 From: Yoichi NAKAYAMA Date: Tue, 19 Jun 2012 19:13:46 +0900 Subject: [PATCH 1/4] Fix memory leak and access violation in UpnpSendAction(Ex)Async. Free buffers after malloc or ixmlPrintNode failure. Free Param->Header before destructing Param. (cherry picked from commit d9e90499b7ead7e9fae30b9c248b343ec6d9b273) --- ChangeLog | 7 +++++++ upnp/src/api/upnpapi.c | 6 +++++- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 34c5c6f..6b783c4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -332,6 +332,13 @@ Version 1.8.0 Version 1.6.18 ******************************************************************************* +2012-06-19 Yoichi NAKAYAMA + + Fix memory leak and access violation in UpnpSendAction(Ex)Async. + + Free buffers after malloc or ixmlPrintNode failure. + Free Param->Header before destructing Param. + 2012-05-25 Anoop Mohan This patch fixes a bug in non blocking connect call where the sock diff --git a/upnp/src/api/upnpapi.c b/upnp/src/api/upnpapi.c index 2a24b52..375adc8 100644 --- a/upnp/src/api/upnpapi.c +++ b/upnp/src/api/upnpapi.c @@ -2769,6 +2769,7 @@ int UpnpSendActionAsync( malloc( sizeof( struct UpnpNonblockParam ) ); if( Param == NULL ) { + ixmlFreeDOMString( tmpStr ); return UPNP_E_OUTOF_MEMORY; } memset( Param, 0, sizeof( struct UpnpNonblockParam ) ); @@ -2862,6 +2863,7 @@ int UpnpSendActionExAsync( tmpStr = ixmlPrintNode( ( IXML_Node * ) Act ); if( tmpStr == NULL ) { + ixmlFreeDOMString( headerStr ); return UPNP_E_INVALID_ACTION; } @@ -2869,6 +2871,8 @@ int UpnpSendActionExAsync( ( struct UpnpNonblockParam * ) malloc( sizeof( struct UpnpNonblockParam ) ); if( Param == NULL ) { + ixmlFreeDOMString( tmpStr ); + ixmlFreeDOMString( headerStr ); return UPNP_E_OUTOF_MEMORY; } memset( Param, 0, sizeof( struct UpnpNonblockParam ) ); @@ -2892,10 +2896,10 @@ int UpnpSendActionExAsync( retVal = ixmlParseBufferEx( tmpStr, &( Param->Act ) ); if( retVal != IXML_SUCCESS ) { + ixmlDocument_free( Param->Header ); free( Param ); ixmlFreeDOMString( tmpStr ); ixmlFreeDOMString( headerStr ); - ixmlDocument_free( Param->Header ); if( retVal == IXML_INSUFFICIENT_MEMORY ) { return UPNP_E_OUTOF_MEMORY; } else { From fa9aef8eb662ce74fc340073b498d1657646327a Mon Sep 17 00:00:00 2001 From: Marcelo Roberto Jimenez Date: Wed, 20 Jun 2012 21:15:01 -0300 Subject: [PATCH 2/4] Remove a pointless way to test a return value (cherry picked from commit 692813d03e0d89b239639499c5b700ddf6d9458d) --- upnp/src/genlib/net/http/webserver.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/upnp/src/genlib/net/http/webserver.c b/upnp/src/genlib/net/http/webserver.c index eb2294e..99e9cfb 100644 --- a/upnp/src/genlib/net/http/webserver.c +++ b/upnp/src/genlib/net/http/webserver.c @@ -493,8 +493,6 @@ int web_server_init() void web_server_destroy(void) { - int ret; - if (bWebServerState == WEB_SERVER_ENABLED) { membuffer_destroy(&gDocumentRootDir); alias_release(&gAliasDoc); @@ -503,8 +501,7 @@ void web_server_destroy(void) memset(&gAliasDoc, 0, sizeof(struct xml_alias_t)); ithread_mutex_unlock(&gWebMutex); - ret = ithread_mutex_destroy(&gWebMutex); - assert(ret == 0); + ithread_mutex_destroy(&gWebMutex); bWebServerState = WEB_SERVER_DISABLED; } } From 40d5a1dea3a83fcc3ad4e9d3617ff71ebe3f83cd Mon Sep 17 00:00:00 2001 From: Marcelo Roberto Jimenez Date: Wed, 20 Jun 2012 21:17:25 -0300 Subject: [PATCH 3/4] Remove an unused variable ifndef INET_IPV6 (cherry picked from commit 40ddff10964905b3d63b9e1d7ed6d045c2db6dab) --- upnp/src/genlib/miniserver/miniserver.c | 18 +++++++++++------- upnp/src/ssdp/ssdp_device.c | 2 ++ 2 files changed, 13 insertions(+), 7 deletions(-) diff --git a/upnp/src/genlib/miniserver/miniserver.c b/upnp/src/genlib/miniserver/miniserver.c index af310ca..eae6eca 100644 --- a/upnp/src/genlib/miniserver/miniserver.c +++ b/upnp/src/genlib/miniserver/miniserver.c @@ -502,10 +502,14 @@ static int get_miniserver_sockets( MiniServerSockArray *out, /*! [in] port on which the server is listening for incoming IPv4 * connections. */ - uint16_t listen_port4, + uint16_t listen_port4 +#ifdef UPNP_ENABLE_IPV6 + , /*! [in] port on which the server is listening for incoming IPv6 * connections. */ - uint16_t listen_port6) + uint16_t listen_port6 +#endif + ) { char errorBuffer[ERROR_BUFFER_LEN]; struct sockaddr_storage __ss_v4; @@ -760,10 +764,6 @@ static int get_miniserver_sockets( out->miniServerSock4 = listenfd4; #ifdef UPNP_ENABLE_IPV6 out->miniServerSock6 = listenfd6; -#else - /* Silence compiler warning message: - * warning: unused parameter ‘listen_port6’ */ - listen_port6 = 0u; #endif return UPNP_E_SUCCESS; } @@ -868,7 +868,11 @@ int StartMiniServer( #ifdef INTERNAL_WEB_SERVER /* V4 and V6 http listeners. */ ret_code = get_miniserver_sockets( - miniSocket, *listen_port4, *listen_port6); + miniSocket, *listen_port4 +#ifdef UPNP_ENABLE_IPV6 + , *listen_port6 +#endif + ); if (ret_code != UPNP_E_SUCCESS) { free(miniSocket); return ret_code; diff --git a/upnp/src/ssdp/ssdp_device.c b/upnp/src/ssdp/ssdp_device.c index d00efb5..c3dbc1f 100644 --- a/upnp/src/ssdp/ssdp_device.c +++ b/upnp/src/ssdp/ssdp_device.c @@ -186,7 +186,9 @@ static int NewRequestHandler( unsigned long replyAddr = inet_addr(gIF_IPV4); /* a/c to UPNP Spec */ int ttl = 4; +#ifdef INET_IPV6 int hops = 1; +#endif char buf_ntop[INET6_ADDRSTRLEN]; int ret = UPNP_E_SUCCESS; From 9f17244f95a45a6ebabc18c1aecc041e518f67c8 Mon Sep 17 00:00:00 2001 From: Marcelo Roberto Jimenez Date: Wed, 20 Jun 2012 21:33:16 -0300 Subject: [PATCH 4/4] Remove an unused variable (cherry picked from commit 40e90e89fc406f0ed665d3753b5fb3b7071787d3) --- upnp/src/gena/gena_device.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/upnp/src/gena/gena_device.c b/upnp/src/gena/gena_device.c index e3b6d2a..13db741 100644 --- a/upnp/src/gena/gena_device.c +++ b/upnp/src/gena/gena_device.c @@ -257,14 +257,11 @@ static int genaNotify( { size_t i; membuffer mid_msg; - membuffer endmsg; uri_type *url; http_parser_t response; int return_code = -1; membuffer_init(&mid_msg); - /* make 'end' msg (the part that won't vary with the destination) */ - endmsg.size_inc = 30; if (http_MakeMessage(&mid_msg, 1, 1, "s" "ssc" "sdcc", headers,