From 37b0afe1dcba7b58ac6bdb5553cc1ec5e2673fd0 Mon Sep 17 00:00:00 2001
From: Yoichi NAKAYAMA <yoichi.nakayama@gmail.com>
Date: Sun, 11 Mar 2012 01:40:48 +0900
Subject: [PATCH] Treat large argument as error in UpnpAddVirtualDir. (cherry
 picked from commit e4678168fa8564e788293ef764dc3265f89484bc)

---
 ChangeLog              | 1 +
 upnp/src/api/upnpapi.c | 4 ++++
 2 files changed, 5 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index a7b4dc9..dc16f98 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -322,6 +322,7 @@ Version 1.6.16
 
 	Further measures against buffer overflows.
 
+	Treat large argument as error in UpnpAddVirtualDir.
 	Do not clear buffer before snprintf.
 
 2012-03-10 Yoichi NAKAYAMA <yoichi.nakayama(at)gmail.com>
diff --git a/upnp/src/api/upnpapi.c b/upnp/src/api/upnpapi.c
index 77ced00..33512c5 100644
--- a/upnp/src/api/upnpapi.c
+++ b/upnp/src/api/upnpapi.c
@@ -3979,9 +3979,13 @@ int UpnpAddVirtualDir(const char *newDirName)
     }
 
     if( *newDirName != '/' ) {
+        if (strlen(newDirName) > sizeof(dirName) - 2)
+            return UPNP_E_INVALID_PARAM;
         dirName[0] = '/';
         strncpy( dirName + 1, newDirName, sizeof( dirName ) - 2 );
     } else {
+        if (strlen(newDirName) > sizeof(dirName) - 1)
+            return UPNP_E_INVALID_PARAM;
         strncpy( dirName, newDirName, sizeof( dirName ) - 1 );
     }