Security fix for CERT issue VU#922681
This patch addresses three possible buffer overflows in function
unique_service_name(). The three issues have the folowing CVE
numbers:
CVE-2012-5958 Issue #2: Stack buffer overflow of Tempbuf
CVE-2012-5959 Issue #4: Stack buffer overflow of Event->UDN
CVE-2012-5960 Issue #8: Stack buffer overflow of Event->UDN
Notice that the following issues have already been dealt by previous
work:
CVE-2012-5961 Issue #1: Stack buffer overflow of Evt->UDN
CVE-2012-5962 Issue #3: Stack buffer overflow of Evt->DeviceType
CVE-2012-5963 Issue #5: Stack buffer overflow of Event->UDN
CVE-2012-5964 Issue #6: Stack buffer overflow of Event->DeviceType
CVE-2012-5965 Issue #7: Stack buffer overflow of Event->DeviceType
(cherry picked from commit f015a132e8)
			
			
This commit is contained in:
		
							
								
								
									
										20
									
								
								ChangeLog
									
									
									
									
									
								
							
							
						
						
									
										20
									
								
								ChangeLog
									
									
									
									
									
								
							| @@ -349,6 +349,26 @@ Version 1.8.0 | ||||
| Version 1.6.18 | ||||
| ******************************************************************************* | ||||
|  | ||||
| 2012-12-06 Marcelo Roberto Jimenez <mroberto(at)users.sourceforge.net> | ||||
|  | ||||
| 	Security fix for CERT issue VU#922681 | ||||
|  | ||||
| 	This patch addresses three possible buffer overflows in function | ||||
| 	unique_service_name(). The three issues have the folowing CVE numbers: | ||||
|  | ||||
| 	CVE-2012-5958 Issue #2: Stack buffer overflow of Tempbuf | ||||
| 	CVE-2012-5959 Issue #4: Stack buffer overflow of Event->UDN | ||||
| 	CVE-2012-5960 Issue #8: Stack buffer overflow of Event->UDN | ||||
|  | ||||
| 	Notice that the following issues have already been dealt by previous | ||||
| 	work: | ||||
|  | ||||
| 	CVE-2012-5961 Issue #1: Stack buffer overflow of Evt->UDN | ||||
| 	CVE-2012-5962 Issue #3: Stack buffer overflow of Evt->DeviceType | ||||
| 	CVE-2012-5963 Issue #5: Stack buffer overflow of Event->UDN | ||||
| 	CVE-2012-5964 Issue #6: Stack buffer overflow of Event->DeviceType | ||||
| 	CVE-2012-5965 Issue #7: Stack buffer overflow of Event->DeviceType | ||||
|  | ||||
| 2012-06-19 Yoichi NAKAYAMA <yoichi.nakayama(at)gmail.com> | ||||
|  | ||||
| 	Fix memory leak and access violation in UpnpSendAction(Ex)Async. | ||||
|   | ||||
| @@ -467,16 +467,16 @@ int unique_service_name(char *cmd, SsdpEvent *Evt) | ||||
| 		else | ||||
| 			return -1; | ||||
| 		if (ptr3 != NULL) { | ||||
| 			if (strlen("uuid:") + strlen(ptr3 + 1) >= sizeof(Evt->UDN)) | ||||
| 			if (strlen("uuid:") + strlen(ptr3 + 1) >= sizeof Evt->UDN) | ||||
| 				return -1; | ||||
| 			snprintf(Evt->UDN, sizeof(Evt->UDN), "uuid:%s", | ||||
| 				ptr3 + 1); | ||||
| 			snprintf(Evt->UDN, sizeof Evt->UDN, "uuid:%s", ptr3 + 1); | ||||
| 		} | ||||
| 		else | ||||
| 			return -1; | ||||
| 		ptr1 = strstr(cmd, ":"); | ||||
| 		if (ptr1 != NULL) { | ||||
| 			n = (size_t)ptr3 - (size_t)ptr1; | ||||
| 			n = n >= sizeof TempBuf ? sizeof TempBuf - 1 : n; | ||||
| 			strncpy(TempBuf, ptr1, n); | ||||
| 			TempBuf[n] = '\0'; | ||||
| 			if (strlen("urn") + strlen(TempBuf) >= sizeof(Evt->DeviceType)) | ||||
| @@ -490,27 +490,28 @@ int unique_service_name(char *cmd, SsdpEvent *Evt) | ||||
| 	if ((TempPtr = strstr(cmd, "uuid")) != NULL) { | ||||
| 		if ((Ptr = strstr(cmd, "::")) != NULL) { | ||||
| 			n = (size_t)Ptr - (size_t)TempPtr; | ||||
| 			n = n >= sizeof Evt->UDN ? sizeof Evt->UDN - 1 : n; | ||||
| 			strncpy(Evt->UDN, TempPtr, n); | ||||
| 			Evt->UDN[n] = '\0'; | ||||
| 		} else { | ||||
| 			memset(Evt->UDN, 0, sizeof(Evt->UDN)); | ||||
| 			strncpy(Evt->UDN, TempPtr, sizeof(Evt->UDN) - 1); | ||||
| 			strncpy(Evt->UDN, TempPtr, sizeof Evt->UDN - 1); | ||||
| 		} | ||||
| 		CommandFound = 1; | ||||
| 	} | ||||
| 	if (strstr(cmd, "urn:") != NULL && strstr(cmd, ":service:") != NULL) { | ||||
| 		if ((TempPtr = strstr(cmd, "urn")) != NULL) { | ||||
| 			memset(Evt->ServiceType, 0, sizeof(Evt->ServiceType)); | ||||
| 			memset(Evt->ServiceType, 0, sizeof Evt->ServiceType); | ||||
| 			strncpy(Evt->ServiceType, TempPtr, | ||||
| 				sizeof(Evt->ServiceType) - 1); | ||||
| 				sizeof Evt->ServiceType - 1); | ||||
| 			CommandFound = 1; | ||||
| 		} | ||||
| 	} | ||||
| 	if (strstr(cmd, "urn:") != NULL && strstr(cmd, ":device:") != NULL) { | ||||
| 		if ((TempPtr = strstr(cmd, "urn")) != NULL) { | ||||
| 			memset(Evt->DeviceType, 0, sizeof(Evt->DeviceType)); | ||||
| 			memset(Evt->DeviceType, 0, sizeof Evt->DeviceType); | ||||
| 			strncpy(Evt->DeviceType, TempPtr, | ||||
| 				sizeof(Evt->DeviceType) - 1); | ||||
| 				sizeof Evt->DeviceType - 1); | ||||
| 			CommandFound = 1; | ||||
| 		} | ||||
| 	} | ||||
| @@ -518,6 +519,7 @@ int unique_service_name(char *cmd, SsdpEvent *Evt) | ||||
| 		/* Everything before "::upnp::rootdevice" is the UDN. */ | ||||
| 		if (TempPtr != cmd) { | ||||
| 			n = (size_t)TempPtr - (size_t)cmd; | ||||
| 			n = n >= sizeof Evt->UDN ? sizeof Evt->UDN - 1 : n; | ||||
| 			strncpy(Evt->UDN, cmd, n); | ||||
| 			Evt->UDN[n] = 0; | ||||
| 			CommandFound = 1; | ||||
|   | ||||
		Reference in New Issue
	
	Block a user
	 Marcelo Roberto Jimenez
					Marcelo Roberto Jimenez