Fixed a buffer overflow due to a bug in the calculation of the

CONTENT-TYPE header line size, the length was beeing calculated with
the wrong string, there was a missing colon.


git-svn-id: https://pupnp.svn.sourceforge.net/svnroot/pupnp/trunk@434 119443c7-1b9e-41f8-b6fc-b9c35fce742c

ChangeLog

@@ -2,6 +2,11 @@
 Version 1.8.0
 *******************************************************************************
 
+2008-06-11 Marcelo Jimenez <mroberto(at)users.sourceforge.net>
+	* Fixed a buffer overflow due to a bug in the calculation of the
+	CONTENT-TYPE header line size, the length was beeing calculated with
+	the wrong string, there was a missing colon.
+
 2008-06-11 Marcelo Jimenez <mroberto(at)users.sourceforge.net>
 	* Ingo Hofmann's patch for "Content-Type in Subscription responses".
 	Adds charset="utf-8" attribute to the CONTENT-TYPE header line.

upnp/src/gena/gena_device.c

@@ -30,14 +30,14 @@
  ******************************************************************************/
 
 
-#include "config.h"
-
-
 /*!
  * \file
  */
 
 
+#include "config.h"
+
+
 #if EXCLUDE_GENA == 0
 #ifdef INCLUDE_DEVICE_APIS
 
@@ -150,7 +150,7 @@ static void free_notify_struct(
 	notify_thread_struct *input)
 {
 	(*input->reference_count)--;
-    if( ( *input->reference_count ) == 0 ) {
+	if (*input->reference_count == 0) {
 		free(input->headers);
 		ixmlFreeDOMString(input->propertySet);
 		free(input->servId);
@@ -405,6 +405,60 @@ static void genaNotifyThread(
 }
 
 
+/*!
+ * \brief Allocates the GENA header.
+ *
+ * \note The header must be destroyed after with a call to free(), otherwise
+ * there will be a memory leak.
+ *
+ * \return The constructed header.
+ */
+static char *AllocGenaHeaders(
+	/*! [in] The property set string. */
+	const DOMString propertySet)
+{
+	static const char *HEADER_LINE_1 =
+		"CONTENT-TYPE: text/xml; charset=\"utf-8\"\r\n";
+	static const char *HEADER_LINE_2A =
+		"CONTENT-LENGTH: ";
+	static const char *HEADER_LINE_2B =
+		"\r\n";
+	static const char *HEADER_LINE_3 =
+		"NT: upnp:event\r\n";
+	static const char *HEADER_LINE_4 =
+		"NTS: upnp:propchange\r\n";
+	char *headers = NULL;
+	int headers_size = 0;
+	int line = 0;
+
+	headers_size =
+		strlen(HEADER_LINE_1 ) +
+		strlen(HEADER_LINE_2A) + MAX_CONTENT_LENGTH +
+		strlen(HEADER_LINE_2B) +
+		strlen(HEADER_LINE_3 ) +
+		strlen(HEADER_LINE_4 ) + 1;
+	headers = (char *)malloc(headers_size);
+	if (headers == NULL) {
+		line = __LINE__;
+		goto ExitFunction;
+	}
+	sprintf(headers, "%s%s%"PRIzu"%s%s%s",
+		HEADER_LINE_1,
+		HEADER_LINE_2A,
+		strlen(propertySet) + 1,
+		HEADER_LINE_2B,
+		HEADER_LINE_3,
+		HEADER_LINE_4);
+
+ExitFunction:
+	if (headers == NULL) {
+		UpnpPrintf(UPNP_ALL, GENA, __FILE__, line,
+			"AllocGenaHeaders(): Error UPNP_E_OUTOF_MEMORY\n");
+	}
+	return headers;
+}
+
+
 int genaInitNotify(
 	UpnpDevice_Handle device_handle,
 	char *UDN,
@@ -426,7 +480,6 @@ int genaInitNotify(
 
 	subscription *sub = NULL;
 	service_info *service = NULL;
-	int headers_size;
 	struct Handle_Info *handle_info;
 	ThreadPoolJob job;
 
@@ -501,25 +554,13 @@ int genaInitNotify(
 		"GENERATED PROPERTY SET IN INIT NOTIFY: %s",
 		propertySet);
 
-	headers_size =
+	headers = AllocGenaHeaders(propertySet);
-		strlen("CONTENT-TYPE text/xml; charset=\"utf-8\"\r\n") +
-		strlen("CONTENT-LENGTH: \r\n") + MAX_CONTENT_LENGTH +
-		strlen("NT: upnp:event\r\n") +
-		strlen("NTS: upnp:propchange\r\n") + 1;
-	headers = (char *)malloc(headers_size);
 	if (headers == NULL) {
 		line = __LINE__;
 		ret = UPNP_E_OUTOF_MEMORY;
 		goto ExitFunction;
 	}
 
-	sprintf(headers,
-		"CONTENT-TYPE: text/xml\r\n"
-		"CONTENT-LENGTH: %"PRIzu"\r\n"
-		"NT: upnp:event\r\n"
-		"NTS: upnp:propchange\r\n",
-		strlen(propertySet) + 1);
-
 	/* schedule thread for initial notification */
 
 	thread_struct = (notify_thread_struct *)malloc(sizeof (notify_thread_struct));
@@ -592,7 +633,6 @@ int genaInitNotifyExt(
 
 	subscription *sub = NULL;
 	service_info *service = NULL;
-	int headers_size;
 	struct Handle_Info *handle_info;
 	ThreadPoolJob job;
 
@@ -668,25 +708,13 @@ int genaInitNotifyExt(
 		"GENERATED PROPERTY SET IN INIT EXT NOTIFY: %s",
 		propertySet);
 
-	headers_size =
+	headers = AllocGenaHeaders(propertySet);
-		strlen("CONTENT-TYPE text/xml; charset=\"utf-8\"\r\n") +
-		strlen("CONTENT-LENGTH: \r\n") + MAX_CONTENT_LENGTH +
-		strlen("NT: upnp:event\r\n") +
-		strlen("NTS: upnp:propchange\r\n") + 1;
-	headers = (char *)malloc(headers_size);
 	if (headers == NULL) {
 		line = __LINE__;
 		ret = UPNP_E_OUTOF_MEMORY;
 		goto ExitFunction;
 	}
 
-	sprintf(headers,
-		"CONTENT-TYPE: text/xml\r\n"
-		"CONTENT-LENGTH: %"PRIzu"\r\n"
-		"NT: upnp:event\r\n"
-		"NTS: upnp:propchange\r\n",
-		strlen(propertySet) + 1);
-
 	/* schedule thread for initial notification */
 
 	thread_struct = (notify_thread_struct *)malloc(sizeof (notify_thread_struct));
@@ -758,7 +786,6 @@ int genaNotifyAllExt(
 
 	subscription *finger = NULL;
 	service_info *service = NULL;
-	int headers_size;
 	struct Handle_Info *handle_info;
 	ThreadPoolJob job;
 
@@ -800,25 +827,13 @@ int genaNotifyAllExt(
 		"GENERATED PROPERTY SET IN EXT NOTIFY: %s",
 		propertySet);
 
-	headers_size =
+	headers = AllocGenaHeaders(propertySet);
-		strlen("CONTENT-TYPE text/xml; charset=\"utf-8\"\r\n") +
-		strlen("CONTENT-LENGTH: \r\n") + MAX_CONTENT_LENGTH +
-		strlen("NT: upnp:event\r\n") +
-		strlen("NTS: upnp:propchange\r\n") + 1;
-	headers = (char *)malloc(headers_size);
 	if (headers == NULL) {
 		line = __LINE__;
 		ret = UPNP_E_OUTOF_MEMORY;
 		goto ExitFunction;
 	}
 
-	sprintf(headers,
-		"CONTENT-TYPE: text/xml\r\n"
-		"CONTENT-LENGTH: %"PRIzu"\r\n"
-		"NT: upnp:event\r\n"
-		"NTS: upnp:propchange\r\n",
-		strlen(propertySet) + 1);
-
 	HandleLock();
 
 	if (GetHandleInfo(device_handle, &handle_info) != HND_DEVICE) {
@@ -910,7 +925,6 @@ int genaNotifyAll(
 
 	subscription *finger = NULL;
 	service_info *service = NULL;
-	int headers_size;
 	struct Handle_Info *handle_info;
 	ThreadPoolJob job;
 
@@ -951,25 +965,13 @@ int genaNotifyAll(
 		"GENERATED PROPERTY SET IN EXT NOTIFY: %s",
 		propertySet);
 
-	headers_size =
+	headers = AllocGenaHeaders(propertySet);
-		strlen("CONTENT-TYPE text/xml; charset=\"utf-8\"\r\n") +
-		strlen("CONTENT-LENGTH: \r\n") + MAX_CONTENT_LENGTH +
-		strlen("NT: upnp:event\r\n") +
-		strlen("NTS: upnp:propchange\r\n") + 1;
-	headers = (char *)malloc(headers_size);
 	if (headers == NULL) {
 		line = __LINE__;
 		ret = UPNP_E_OUTOF_MEMORY;
 		goto ExitFunction;
 	}
 
-	sprintf(headers,
-		"CONTENT-TYPE: text/xml\r\n"
-		"CONTENT-LENGTH: %"PRIzu"\r\n"
-		"NT: upnp:event\r\n"
-		"NTS: upnp:propchange\r\n",
-		strlen(propertySet) + 1);
-
 	HandleLock();
 
 	if (GetHandleInfo(device_handle, &handle_info) != HND_DEVICE) {

upnp/src/genlib/net/http/httpparser.c

@@ -2509,26 +2509,20 @@ method_to_str( IN http_method_t method )
     return index == -1 ? NULL : Http_Method_Table[index].name;
 }
 
-/************************************************************************
+
-* Function: print_http_headers
+/*!
-*
+ * \brief Print the HTTP headers.
-* Parameters:
+ */
-*	http_message_t* hmsg ; HTTP Message object
-*
-* Description:
-*
-* Returns:
-*	 void
-************************************************************************/
 #ifdef DEBUG
-void
+void print_http_headers(
-print_http_headers( http_message_t * hmsg )
+	/*! [in] HTTP Message object. */
+	http_message_t *hmsg)
 {
     ListNode *node;
-    // NNS:  dlist_node *node;
+    /* NNS:  dlist_node *node; */
     http_header_t *header;
 
-    // print start line
+    /* print start line */
     if( hmsg->is_request ) {
         printf( "method = %d, version = %d.%d, url = %.*s\n", 
             hmsg->method, hmsg->major_version, hmsg->minor_version,
@@ -2539,18 +2533,18 @@ print_http_headers( http_message_t * hmsg )
             (int)hmsg->status_msg.length, hmsg->status_msg.buf);
     }
 
-    // print headers
+    /* print headers */
     node = ListHead( &hmsg->headers );
-    // NNS: node = dlist_first_node( &hmsg->headers );
+    /* NNS: node = dlist_first_node( &hmsg->headers ); */
     while( node != NULL ) {
         header = ( http_header_t * ) node->item;
-        // NNS: header = (http_header_t *)node->data;
+        /* NNS: header = (http_header_t *)node->data; */
         printf( "hdr name: %.*s, value: %.*s\n", 
             (int)header->name.length, header->name.buf,
             (int)header->value.length, header->value.buf );
 
         node = ListNext( &hmsg->headers, node );
-        // NNS: node = dlist_next( &hmsg->headers, node );
+        /* NNS: node = dlist_next( &hmsg->headers, node ); */
     }
 }
 #endif

upnp/src/genlib/net/http/httpreadwrite.c

@@ -1,33 +1,34 @@
-///////////////////////////////////////////////////////////////////////////
+/*******************************************************************************
-//
+ *
-// Copyright (c) 2000-2003 Intel Corporation 
+ * Copyright (c) 2000-2003 Intel Corporation 
-// All rights reserved. 
+ * All rights reserved. 
-//
+ *
-// Redistribution and use in source and binary forms, with or without 
+ * Redistribution and use in source and binary forms, with or without 
-// modification, are permitted provided that the following conditions are met: 
+ * modification, are permitted provided that the following conditions are met: 
-//
+ *
-// * Redistributions of source code must retain the above copyright notice, 
+ * - Redistributions of source code must retain the above copyright notice, 
-// this list of conditions and the following disclaimer. 
+ * this list of conditions and the following disclaimer. 
-// * Redistributions in binary form must reproduce the above copyright notice, 
+ * - Redistributions in binary form must reproduce the above copyright notice, 
-// this list of conditions and the following disclaimer in the documentation 
+ * this list of conditions and the following disclaimer in the documentation 
-// and/or other materials provided with the distribution. 
+ * and/or other materials provided with the distribution. 
-// * Neither name of Intel Corporation nor the names of its contributors 
+ * - Neither name of Intel Corporation nor the names of its contributors 
-// may be used to endorse or promote products derived from this software 
+ * may be used to endorse or promote products derived from this software 
-// without specific prior written permission.
+ * without specific prior written permission.
-// 
+ * 
-// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 
-// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 
-// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 
-// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL INTEL OR 
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL INTEL OR 
-// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, 
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, 
-// EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, 
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, 
-// PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 
-// PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY 
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY 
-// OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
-// NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 
-// SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
+ *
-///////////////////////////////////////////////////////////////////////////
+ ******************************************************************************/
+
 
 /************************************************************************
 * Purpose: This file defines the functionality making use of the http 
@@ -652,7 +653,8 @@ http_Download( IN const char *url_str,
     }
 
     UpnpPrintf(UPNP_INFO, HTTP, __FILE__, __LINE__,
-        "HTTP Buffer:\n %s\n----------END--------\n", request.buf );
+        "HTTP Buffer:\n%s\n" "----------END--------\n",
+        request.buf);
     // get doc msg
     ret_code =
         http_RequestAndResponse( &url, request.buf, request.length,

upnp/src/genlib/net/http/webserver.c

@@ -1269,15 +1269,13 @@ process_request( IN http_message_t * req,
         }
 
     } else {
-        //
+        /* try using alias */
-        // try using alias
-        //
         if (is_valid_alias(&gAliasDoc)) {
             alias_grab(alias);
             alias_grabbed = TRUE;
             using_alias = get_alias(request_doc, alias, finfo);
             if (using_alias == TRUE) {
-                UpnpFileInfo_set_ContentType(finfo, "text/xml");
+                UpnpFileInfo_set_ContentType(finfo, "text/xml; charset=\"utf-8\"");
                 if (UpnpFileInfo_get_ContentType(finfo) == NULL) {
                     goto error_handler;
                 }

upnp/src/soap/soap_device.c

@@ -1,38 +1,47 @@
-///////////////////////////////////////////////////////////////////////////
+/*******************************************************************************
-//
+ *
-// Copyright (c) 2000-2003 Intel Corporation 
+ * Copyright (c) 2000-2003 Intel Corporation 
-// All rights reserved. 
+ * All rights reserved. 
-//
+ *
-// Redistribution and use in source and binary forms, with or without 
+ * Redistribution and use in source and binary forms, with or without 
-// modification, are permitted provided that the following conditions are met: 
+ * modification, are permitted provided that the following conditions are met: 
-//
+ *
-// * Redistributions of source code must retain the above copyright notice, 
+ * - Redistributions of source code must retain the above copyright notice, 
-// this list of conditions and the following disclaimer. 
+ * this list of conditions and the following disclaimer. 
-// * Redistributions in binary form must reproduce the above copyright notice, 
+ * - Redistributions in binary form must reproduce the above copyright notice, 
-// this list of conditions and the following disclaimer in the documentation 
+ * this list of conditions and the following disclaimer in the documentation 
-// and/or other materials provided with the distribution. 
+ * and/or other materials provided with the distribution. 
-// * Neither name of Intel Corporation nor the names of its contributors 
+ * - Neither name of Intel Corporation nor the names of its contributors 
-// may be used to endorse or promote products derived from this software 
+ * may be used to endorse or promote products derived from this software 
-// without specific prior written permission.
+ * without specific prior written permission.
-// 
+ * 
-// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 
-// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 
-// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 
-// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL INTEL OR 
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL INTEL OR 
-// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, 
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, 
-// EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, 
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, 
-// PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 
-// PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY 
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY 
-// OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
-// NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 
-// SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
+ *
-///////////////////////////////////////////////////////////////////////////
+ ******************************************************************************/
+
+
+/*!
+ * \file
+ */
+
 
 #include "config.h"
+
+
 #ifdef INCLUDE_DEVICE_APIS
 #if EXCLUDE_SOAP == 0
 
+
 #define SOAP_BODY "Body"
 #define SOAP_URN "http:/""/schemas.xmlsoap.org/soap/envelope/"
 
@@ -54,7 +63,8 @@
 	#define snprintf _snprintf
 #endif
 
-// timeout duration in secs for transmission/reception
+
+/*! timeout duration in secs for transmission/reception */
 #define SOAP_TIMEOUT UPNP_TIMEOUT
 
 #define SREQ_HDR_NOT_FOUND	 -1
@@ -68,13 +78,14 @@
 
 static const char *Soap_Invalid_Action = "Invalid Action";
 
-//static const char* Soap_Invalid_Args = "Invalid Args";
+/*static const char* Soap_Invalid_Args = "Invalid Args"; */
 static const char *Soap_Action_Failed = "Action Failed";
 static const char *Soap_Invalid_Var = "Invalid Var";
 
 const char *ContentTypeHeader =
     "CONTENT-TYPE: text/xml; charset=\"utf-8\"\r\n";
 
+
 /****************************************************************************
 *	Function :	get_request_type
 *