Security fix for CERT issue VU#922681
This patch addresses three possible buffer overflows in function
unique_service_name(). The three issues have the folowing CVE
numbers:
CVE-2012-5958 Issue #2: Stack buffer overflow of Tempbuf
CVE-2012-5959 Issue #4: Stack buffer overflow of Event->UDN
CVE-2012-5960 Issue #8: Stack buffer overflow of Event->UDN
Notice that the following issues have already been dealt by previous
work:
CVE-2012-5961 Issue #1: Stack buffer overflow of Evt->UDN
CVE-2012-5962 Issue #3: Stack buffer overflow of Evt->DeviceType
CVE-2012-5963 Issue #5: Stack buffer overflow of Event->UDN
CVE-2012-5964 Issue #6: Stack buffer overflow of Event->DeviceType
CVE-2012-5965 Issue #7: Stack buffer overflow of Event->DeviceType
(cherry picked from commit f015a132e8)
This commit is contained in:
Marcelo Roberto Jimenez
parent
6a9baf6058
commit
2bb79879b7
20
ChangeLog
20
ChangeLog
@ -349,6 +349,26 @@ Version 1.8.0
|
||||
Version 1.6.18
|
||||
*******************************************************************************
|
||||
|
||||
2012-12-06 Marcelo Roberto Jimenez <mroberto(at)users.sourceforge.net>
|
||||
|
||||
Security fix for CERT issue VU#922681
|
||||
|
||||
This patch addresses three possible buffer overflows in function
|
||||
unique_service_name(). The three issues have the folowing CVE numbers:
|
||||
|
||||
CVE-2012-5958 Issue #2: Stack buffer overflow of Tempbuf
|
||||
CVE-2012-5959 Issue #4: Stack buffer overflow of Event->UDN
|
||||
CVE-2012-5960 Issue #8: Stack buffer overflow of Event->UDN
|
||||
|
||||
Notice that the following issues have already been dealt by previous
|
||||
work:
|
||||
|
||||
CVE-2012-5961 Issue #1: Stack buffer overflow of Evt->UDN
|
||||
CVE-2012-5962 Issue #3: Stack buffer overflow of Evt->DeviceType
|
||||
CVE-2012-5963 Issue #5: Stack buffer overflow of Event->UDN
|
||||
CVE-2012-5964 Issue #6: Stack buffer overflow of Event->DeviceType
|
||||
CVE-2012-5965 Issue #7: Stack buffer overflow of Event->DeviceType
|
||||
|
||||
2012-06-19 Yoichi NAKAYAMA <yoichi.nakayama(at)gmail.com>
|
||||
|
||||
Fix memory leak and access violation in UpnpSendAction(Ex)Async.
|
||||
|
||||
@ -467,16 +467,16 @@ int unique_service_name(char *cmd, SsdpEvent *Evt)
|
||||
else
|
||||
return -1;
|
||||
if (ptr3 != NULL) {
|
||||
if (strlen("uuid:") + strlen(ptr3 + 1) >= sizeof(Evt->UDN))
|
||||
if (strlen("uuid:") + strlen(ptr3 + 1) >= sizeof Evt->UDN)
|
||||
return -1;
|
||||
snprintf(Evt->UDN, sizeof(Evt->UDN), "uuid:%s",
|
||||
ptr3 + 1);
|
||||
snprintf(Evt->UDN, sizeof Evt->UDN, "uuid:%s", ptr3 + 1);
|
||||
}
|
||||
else
|
||||
return -1;
|
||||
ptr1 = strstr(cmd, ":");
|
||||
if (ptr1 != NULL) {
|
||||
n = (size_t)ptr3 - (size_t)ptr1;
|
||||
n = n >= sizeof TempBuf ? sizeof TempBuf - 1 : n;
|
||||
strncpy(TempBuf, ptr1, n);
|
||||
TempBuf[n] = '\0';
|
||||
if (strlen("urn") + strlen(TempBuf) >= sizeof(Evt->DeviceType))
|
||||
@ -490,27 +490,28 @@ int unique_service_name(char *cmd, SsdpEvent *Evt)
|
||||
if ((TempPtr = strstr(cmd, "uuid")) != NULL) {
|
||||
if ((Ptr = strstr(cmd, "::")) != NULL) {
|
||||
n = (size_t)Ptr - (size_t)TempPtr;
|
||||
n = n >= sizeof Evt->UDN ? sizeof Evt->UDN - 1 : n;
|
||||
strncpy(Evt->UDN, TempPtr, n);
|
||||
Evt->UDN[n] = '\0';
|
||||
} else {
|
||||
memset(Evt->UDN, 0, sizeof(Evt->UDN));
|
||||
strncpy(Evt->UDN, TempPtr, sizeof(Evt->UDN) - 1);
|
||||
strncpy(Evt->UDN, TempPtr, sizeof Evt->UDN - 1);
|
||||
}
|
||||
CommandFound = 1;
|
||||
}
|
||||
if (strstr(cmd, "urn:") != NULL && strstr(cmd, ":service:") != NULL) {
|
||||
if ((TempPtr = strstr(cmd, "urn")) != NULL) {
|
||||
memset(Evt->ServiceType, 0, sizeof(Evt->ServiceType));
|
||||
memset(Evt->ServiceType, 0, sizeof Evt->ServiceType);
|
||||
strncpy(Evt->ServiceType, TempPtr,
|
||||
sizeof(Evt->ServiceType) - 1);
|
||||
sizeof Evt->ServiceType - 1);
|
||||
CommandFound = 1;
|
||||
}
|
||||
}
|
||||
if (strstr(cmd, "urn:") != NULL && strstr(cmd, ":device:") != NULL) {
|
||||
if ((TempPtr = strstr(cmd, "urn")) != NULL) {
|
||||
memset(Evt->DeviceType, 0, sizeof(Evt->DeviceType));
|
||||
memset(Evt->DeviceType, 0, sizeof Evt->DeviceType);
|
||||
strncpy(Evt->DeviceType, TempPtr,
|
||||
sizeof(Evt->DeviceType) - 1);
|
||||
sizeof Evt->DeviceType - 1);
|
||||
CommandFound = 1;
|
||||
}
|
||||
}
|
||||
@ -518,6 +519,7 @@ int unique_service_name(char *cmd, SsdpEvent *Evt)
|
||||
/* Everything before "::upnp::rootdevice" is the UDN. */
|
||||
if (TempPtr != cmd) {
|
||||
n = (size_t)TempPtr - (size_t)cmd;
|
||||
n = n >= sizeof Evt->UDN ? sizeof Evt->UDN - 1 : n;
|
||||
strncpy(Evt->UDN, cmd, n);
|
||||
Evt->UDN[n] = 0;
|
||||
CommandFound = 1;
|
||||
|
||||
Loading…
Reference in New Issue
Block a user