diff --git a/ChangeLog b/ChangeLog index 6edb7d0..9cca72f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,11 @@ Version 1.8.0 ******************************************************************************* +2008-06-11 Marcelo Jimenez + * Fixed a buffer overflow due to a bug in the calculation of the + CONTENT-TYPE header line size, the length was beeing calculated with + the wrong string, there was a missing colon. + 2008-06-11 Marcelo Jimenez * Ingo Hofmann's patch for "Content-Type in Subscription responses". Adds charset="utf-8" attribute to the CONTENT-TYPE header line. diff --git a/upnp/src/gena/gena_device.c b/upnp/src/gena/gena_device.c index e6e5a97..f510dac 100644 --- a/upnp/src/gena/gena_device.c +++ b/upnp/src/gena/gena_device.c @@ -30,14 +30,14 @@ ******************************************************************************/ -#include "config.h" - - /*! * \file */ +#include "config.h" + + #if EXCLUDE_GENA == 0 #ifdef INCLUDE_DEVICE_APIS @@ -149,15 +149,15 @@ static void free_notify_struct( /*! [in] Notify structure. */ notify_thread_struct *input) { - ( *input->reference_count )--; - if( ( *input->reference_count ) == 0 ) { - free( input->headers ); - ixmlFreeDOMString( input->propertySet ); - free( input->servId ); - free( input->UDN ); - free( input->reference_count ); - } - free( input ); + (*input->reference_count)--; + if (*input->reference_count == 0) { + free(input->headers); + ixmlFreeDOMString(input->propertySet); + free(input->servId); + free(input->UDN); + free(input->reference_count); + } + free(input); } @@ -405,6 +405,60 @@ static void genaNotifyThread( } +/*! + * \brief Allocates the GENA header. + * + * \note The header must be destroyed after with a call to free(), otherwise + * there will be a memory leak. + * + * \return The constructed header. + */ +static char *AllocGenaHeaders( + /*! [in] The property set string. */ + const DOMString propertySet) +{ + static const char *HEADER_LINE_1 = + "CONTENT-TYPE: text/xml; charset=\"utf-8\"\r\n"; + static const char *HEADER_LINE_2A = + "CONTENT-LENGTH: "; + static const char *HEADER_LINE_2B = + "\r\n"; + static const char *HEADER_LINE_3 = + "NT: upnp:event\r\n"; + static const char *HEADER_LINE_4 = + "NTS: upnp:propchange\r\n"; + char *headers = NULL; + int headers_size = 0; + int line = 0; + + headers_size = + strlen(HEADER_LINE_1 ) + + strlen(HEADER_LINE_2A) + MAX_CONTENT_LENGTH + + strlen(HEADER_LINE_2B) + + strlen(HEADER_LINE_3 ) + + strlen(HEADER_LINE_4 ) + 1; + headers = (char *)malloc(headers_size); + if (headers == NULL) { + line = __LINE__; + goto ExitFunction; + } + sprintf(headers, "%s%s%"PRIzu"%s%s%s", + HEADER_LINE_1, + HEADER_LINE_2A, + strlen(propertySet) + 1, + HEADER_LINE_2B, + HEADER_LINE_3, + HEADER_LINE_4); + +ExitFunction: + if (headers == NULL) { + UpnpPrintf(UPNP_ALL, GENA, __FILE__, line, + "AllocGenaHeaders(): Error UPNP_E_OUTOF_MEMORY\n"); + } + return headers; +} + + int genaInitNotify( UpnpDevice_Handle device_handle, char *UDN, @@ -426,7 +480,6 @@ int genaInitNotify( subscription *sub = NULL; service_info *service = NULL; - int headers_size; struct Handle_Info *handle_info; ThreadPoolJob job; @@ -492,7 +545,7 @@ int genaInitNotify( goto ExitFunction; } - ret = GeneratePropertySet(VarNames, VarValues, var_count, &propertySet ); + ret = GeneratePropertySet(VarNames, VarValues, var_count, &propertySet); if (ret != XML_SUCCESS) { line = __LINE__; goto ExitFunction; @@ -501,25 +554,13 @@ int genaInitNotify( "GENERATED PROPERTY SET IN INIT NOTIFY: %s", propertySet); - headers_size = - strlen("CONTENT-TYPE text/xml; charset=\"utf-8\"\r\n") + - strlen("CONTENT-LENGTH: \r\n") + MAX_CONTENT_LENGTH + - strlen("NT: upnp:event\r\n") + - strlen("NTS: upnp:propchange\r\n") + 1; - headers = (char *)malloc(headers_size); + headers = AllocGenaHeaders(propertySet); if (headers == NULL) { line = __LINE__; ret = UPNP_E_OUTOF_MEMORY; goto ExitFunction; } - sprintf(headers, - "CONTENT-TYPE: text/xml\r\n" - "CONTENT-LENGTH: %"PRIzu"\r\n" - "NT: upnp:event\r\n" - "NTS: upnp:propchange\r\n", - strlen(propertySet) + 1); - /* schedule thread for initial notification */ thread_struct = (notify_thread_struct *)malloc(sizeof (notify_thread_struct)); @@ -592,11 +633,10 @@ int genaInitNotifyExt( subscription *sub = NULL; service_info *service = NULL; - int headers_size; struct Handle_Info *handle_info; ThreadPoolJob job; - UpnpPrintf( UPNP_INFO, GENA, __FILE__, __LINE__, + UpnpPrintf(UPNP_INFO, GENA, __FILE__, __LINE__, "GENA BEGIN INITIAL NOTIFY EXT"); reference_count = (int *)malloc(sizeof (int)); @@ -668,25 +708,13 @@ int genaInitNotifyExt( "GENERATED PROPERTY SET IN INIT EXT NOTIFY: %s", propertySet); - headers_size = - strlen("CONTENT-TYPE text/xml; charset=\"utf-8\"\r\n") + - strlen("CONTENT-LENGTH: \r\n") + MAX_CONTENT_LENGTH + - strlen("NT: upnp:event\r\n") + - strlen("NTS: upnp:propchange\r\n") + 1; - headers = (char *)malloc(headers_size); + headers = AllocGenaHeaders(propertySet); if (headers == NULL) { line = __LINE__; ret = UPNP_E_OUTOF_MEMORY; goto ExitFunction; } - sprintf(headers, - "CONTENT-TYPE: text/xml\r\n" - "CONTENT-LENGTH: %"PRIzu"\r\n" - "NT: upnp:event\r\n" - "NTS: upnp:propchange\r\n", - strlen(propertySet) + 1); - /* schedule thread for initial notification */ thread_struct = (notify_thread_struct *)malloc(sizeof (notify_thread_struct)); @@ -758,7 +786,6 @@ int genaNotifyAllExt( subscription *finger = NULL; service_info *service = NULL; - int headers_size; struct Handle_Info *handle_info; ThreadPoolJob job; @@ -800,25 +827,13 @@ int genaNotifyAllExt( "GENERATED PROPERTY SET IN EXT NOTIFY: %s", propertySet); - headers_size = - strlen("CONTENT-TYPE text/xml; charset=\"utf-8\"\r\n") + - strlen("CONTENT-LENGTH: \r\n") + MAX_CONTENT_LENGTH + - strlen("NT: upnp:event\r\n") + - strlen("NTS: upnp:propchange\r\n") + 1; - headers = (char *)malloc(headers_size); + headers = AllocGenaHeaders(propertySet); if (headers == NULL) { line = __LINE__; ret = UPNP_E_OUTOF_MEMORY; goto ExitFunction; } - sprintf(headers, - "CONTENT-TYPE: text/xml\r\n" - "CONTENT-LENGTH: %"PRIzu"\r\n" - "NT: upnp:event\r\n" - "NTS: upnp:propchange\r\n", - strlen(propertySet) + 1); - HandleLock(); if (GetHandleInfo(device_handle, &handle_info) != HND_DEVICE) { @@ -910,7 +925,6 @@ int genaNotifyAll( subscription *finger = NULL; service_info *service = NULL; - int headers_size; struct Handle_Info *handle_info; ThreadPoolJob job; @@ -951,25 +965,13 @@ int genaNotifyAll( "GENERATED PROPERTY SET IN EXT NOTIFY: %s", propertySet); - headers_size = - strlen("CONTENT-TYPE text/xml; charset=\"utf-8\"\r\n") + - strlen("CONTENT-LENGTH: \r\n") + MAX_CONTENT_LENGTH + - strlen("NT: upnp:event\r\n") + - strlen("NTS: upnp:propchange\r\n") + 1; - headers = (char *)malloc(headers_size); + headers = AllocGenaHeaders(propertySet); if (headers == NULL) { line = __LINE__; ret = UPNP_E_OUTOF_MEMORY; goto ExitFunction; } - sprintf(headers, - "CONTENT-TYPE: text/xml\r\n" - "CONTENT-LENGTH: %"PRIzu"\r\n" - "NT: upnp:event\r\n" - "NTS: upnp:propchange\r\n", - strlen(propertySet) + 1); - HandleLock(); if (GetHandleInfo(device_handle, &handle_info) != HND_DEVICE) { diff --git a/upnp/src/genlib/net/http/httpparser.c b/upnp/src/genlib/net/http/httpparser.c index ea69789..ca2cfcf 100644 --- a/upnp/src/genlib/net/http/httpparser.c +++ b/upnp/src/genlib/net/http/httpparser.c @@ -2509,26 +2509,20 @@ method_to_str( IN http_method_t method ) return index == -1 ? NULL : Http_Method_Table[index].name; } -/************************************************************************ -* Function: print_http_headers -* -* Parameters: -* http_message_t* hmsg ; HTTP Message object -* -* Description: -* -* Returns: -* void -************************************************************************/ + +/*! + * \brief Print the HTTP headers. + */ #ifdef DEBUG -void -print_http_headers( http_message_t * hmsg ) +void print_http_headers( + /*! [in] HTTP Message object. */ + http_message_t *hmsg) { ListNode *node; - // NNS: dlist_node *node; + /* NNS: dlist_node *node; */ http_header_t *header; - // print start line + /* print start line */ if( hmsg->is_request ) { printf( "method = %d, version = %d.%d, url = %.*s\n", hmsg->method, hmsg->major_version, hmsg->minor_version, @@ -2539,18 +2533,18 @@ print_http_headers( http_message_t * hmsg ) (int)hmsg->status_msg.length, hmsg->status_msg.buf); } - // print headers + /* print headers */ node = ListHead( &hmsg->headers ); - // NNS: node = dlist_first_node( &hmsg->headers ); + /* NNS: node = dlist_first_node( &hmsg->headers ); */ while( node != NULL ) { header = ( http_header_t * ) node->item; - // NNS: header = (http_header_t *)node->data; + /* NNS: header = (http_header_t *)node->data; */ printf( "hdr name: %.*s, value: %.*s\n", (int)header->name.length, header->name.buf, (int)header->value.length, header->value.buf ); node = ListNext( &hmsg->headers, node ); - // NNS: node = dlist_next( &hmsg->headers, node ); + /* NNS: node = dlist_next( &hmsg->headers, node ); */ } } #endif diff --git a/upnp/src/genlib/net/http/httpreadwrite.c b/upnp/src/genlib/net/http/httpreadwrite.c index 2bbd527..b2e9094 100644 --- a/upnp/src/genlib/net/http/httpreadwrite.c +++ b/upnp/src/genlib/net/http/httpreadwrite.c @@ -1,33 +1,34 @@ -/////////////////////////////////////////////////////////////////////////// -// -// Copyright (c) 2000-2003 Intel Corporation -// All rights reserved. -// -// Redistribution and use in source and binary forms, with or without -// modification, are permitted provided that the following conditions are met: -// -// * Redistributions of source code must retain the above copyright notice, -// this list of conditions and the following disclaimer. -// * Redistributions in binary form must reproduce the above copyright notice, -// this list of conditions and the following disclaimer in the documentation -// and/or other materials provided with the distribution. -// * Neither name of Intel Corporation nor the names of its contributors -// may be used to endorse or promote products derived from this software -// without specific prior written permission. -// -// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR -// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL INTEL OR -// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, -// EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, -// PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR -// PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY -// OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING -// NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS -// SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -// -/////////////////////////////////////////////////////////////////////////// +/******************************************************************************* + * + * Copyright (c) 2000-2003 Intel Corporation + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * - Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * - Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * - Neither name of Intel Corporation nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL INTEL OR + * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY + * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + ******************************************************************************/ + /************************************************************************ * Purpose: This file defines the functionality making use of the http @@ -651,8 +652,9 @@ http_Download( IN const char *url_str, return ret_code; } - UpnpPrintf( UPNP_INFO, HTTP, __FILE__, __LINE__, - "HTTP Buffer:\n %s\n----------END--------\n", request.buf ); + UpnpPrintf(UPNP_INFO, HTTP, __FILE__, __LINE__, + "HTTP Buffer:\n%s\n" "----------END--------\n", + request.buf); // get doc msg ret_code = http_RequestAndResponse( &url, request.buf, request.length, @@ -822,9 +824,9 @@ MakePostMessage( const char *url_str, return ret_code; } - UpnpPrintf( UPNP_INFO, HTTP, __FILE__, __LINE__, - "HTTP Buffer:\n %s\n" "----------END--------\n", - request->buf ); + UpnpPrintf(UPNP_INFO, HTTP, __FILE__, __LINE__, + "HTTP Buffer:\n%s\n" "----------END--------\n", + request->buf); return UPNP_E_SUCCESS; } @@ -1141,9 +1143,9 @@ MakeGetMessage( const char *url_str, return ret_code; } - UpnpPrintf( UPNP_INFO, HTTP, __FILE__, __LINE__, - "HTTP Buffer:\n %s\n" "----------END--------\n", - request->buf ); + UpnpPrintf(UPNP_INFO, HTTP, __FILE__, __LINE__, + "HTTP Buffer:\n%s\n" "----------END--------\n", + request->buf); return UPNP_E_SUCCESS; } @@ -2147,9 +2149,9 @@ MakeGetMessageEx( const char *url_str, } } while( 0 ); - UpnpPrintf( UPNP_INFO, HTTP, __FILE__, __LINE__, - "HTTP Buffer:\n %s\n" "----------END--------\n", - request->buf ); + UpnpPrintf(UPNP_INFO, HTTP, __FILE__, __LINE__, + "HTTP Buffer:\n%s\n" "----------END--------\n", + request->buf); return errCode; } diff --git a/upnp/src/genlib/net/http/webserver.c b/upnp/src/genlib/net/http/webserver.c index 083ab93..eab7e98 100644 --- a/upnp/src/genlib/net/http/webserver.c +++ b/upnp/src/genlib/net/http/webserver.c @@ -1269,15 +1269,13 @@ process_request( IN http_message_t * req, } } else { - // - // try using alias - // + /* try using alias */ if (is_valid_alias(&gAliasDoc)) { alias_grab(alias); alias_grabbed = TRUE; using_alias = get_alias(request_doc, alias, finfo); if (using_alias == TRUE) { - UpnpFileInfo_set_ContentType(finfo, "text/xml"); + UpnpFileInfo_set_ContentType(finfo, "text/xml; charset=\"utf-8\""); if (UpnpFileInfo_get_ContentType(finfo) == NULL) { goto error_handler; } diff --git a/upnp/src/soap/soap_device.c b/upnp/src/soap/soap_device.c index 8209ea8..2dcf6ec 100644 --- a/upnp/src/soap/soap_device.c +++ b/upnp/src/soap/soap_device.c @@ -1,38 +1,47 @@ -/////////////////////////////////////////////////////////////////////////// -// -// Copyright (c) 2000-2003 Intel Corporation -// All rights reserved. -// -// Redistribution and use in source and binary forms, with or without -// modification, are permitted provided that the following conditions are met: -// -// * Redistributions of source code must retain the above copyright notice, -// this list of conditions and the following disclaimer. -// * Redistributions in binary form must reproduce the above copyright notice, -// this list of conditions and the following disclaimer in the documentation -// and/or other materials provided with the distribution. -// * Neither name of Intel Corporation nor the names of its contributors -// may be used to endorse or promote products derived from this software -// without specific prior written permission. -// -// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR -// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL INTEL OR -// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, -// EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, -// PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR -// PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY -// OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING -// NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS -// SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -// -/////////////////////////////////////////////////////////////////////////// +/******************************************************************************* + * + * Copyright (c) 2000-2003 Intel Corporation + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * - Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * - Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * - Neither name of Intel Corporation nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL INTEL OR + * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY + * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + ******************************************************************************/ + + +/*! + * \file + */ + #include "config.h" + + #ifdef INCLUDE_DEVICE_APIS #if EXCLUDE_SOAP == 0 + #define SOAP_BODY "Body" #define SOAP_URN "http:/""/schemas.xmlsoap.org/soap/envelope/" @@ -51,10 +60,11 @@ #ifdef WIN32 - #define snprintf _snprintf + #define snprintf _snprintf #endif -// timeout duration in secs for transmission/reception + +/*! timeout duration in secs for transmission/reception */ #define SOAP_TIMEOUT UPNP_TIMEOUT #define SREQ_HDR_NOT_FOUND -1 @@ -68,13 +78,14 @@ static const char *Soap_Invalid_Action = "Invalid Action"; -//static const char* Soap_Invalid_Args = "Invalid Args"; +/*static const char* Soap_Invalid_Args = "Invalid Args"; */ static const char *Soap_Action_Failed = "Action Failed"; static const char *Soap_Invalid_Var = "Invalid Var"; const char *ContentTypeHeader = "CONTENT-TYPE: text/xml; charset=\"utf-8\"\r\n"; + /**************************************************************************** * Function : get_request_type *