generic-library/libupnp
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Remove most of strcpy, sprintf and strcat

Browse Source 
Replace strcpy, sprintf and strcat by strncpy, snprintf and strncat to
avoid buffer overflows.
This commit is contained in:
Fabrice Fontaine
2012-03-08 10:08:09 +01:00
parent 9965f02727
commit 97a17ff5ad
13 changed files with 174 additions and 86 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
ChangeLog
View File

@@ -2,6 +2,13 @@
Version 1.6.16
*******************************************************************************
2012-03-08 Fabrice Fontaine <fabrice.fontaine(at)orange.com>
Remove most of strcpy, sprintf and strcat
Replace strcpy, sprintf and strcat by strncpy, snprintf and strncat to
avoid buffer overflows.
2012-03-07 Yoichi NAKAYAMA <yoichi.nakayama(at)gmail.com>
SF Bug Tracker id 3497714 - Buffer overflows

32
upnp/src/api/upnpapi.c
View File

@@ -1467,6 +1467,7 @@ static int GetDescDocumentAndURL(
struct sockaddr_storage serverAddr;
int rc = UPNP_E_SUCCESS;
memset(aliasStr, 0, sizeof(aliasStr));
if (description == NULL)
return UPNP_E_INVALID_PARAM;
/* non-URL description must have configuration specified */
@@ -1518,7 +1519,8 @@ static int GetDescDocumentAndURL(
/* Determine alias */
if (config_baseURL) {
if (descriptionType == UPNPREG_BUF_DESC) {
strcpy(aliasStr, "description.xml");
strncpy(aliasStr, "description.xml",
sizeof(aliasStr) - 1);
} else {
/* URL or filename */
retVal = GetNameForAlias(description, &temp_str);
@@ -1531,7 +1533,7 @@ static int GetDescDocumentAndURL(
free(temp_str);
return UPNP_E_URL_TOO_BIG;
}
strcpy(aliasStr, temp_str);
strncpy(aliasStr, temp_str, sizeof(aliasStr) - 1);
}
if (AddressFamily == AF_INET) {
get_server_addr((struct sockaddr *)&serverAddr);
@@ -1553,7 +1555,8 @@ static int GetDescDocumentAndURL(
ixmlDocument_free(*xmlDoc);
return UPNP_E_URL_TOO_BIG;
}
strcpy(descURL, description);
strncpy(descURL, description, strlen(description));
descURL[strlen(description)] = '\0';
}
assert(*xmlDoc != NULL);
@@ -1584,7 +1587,8 @@ static int GetDescDocumentAndURL(
if (strlen(description) > (LINE_SIZE - 1)) {
return UPNP_E_URL_TOO_BIG;
}
strcpy(descURL, description);
strncpy(descURL, description, strlen(description));
descURL[strlen(description)] = '\0';
retVal = UpnpDownloadXmlDoc(description, xmlDoc);
if (retVal != UPNP_E_SUCCESS) {
@@ -1953,7 +1957,8 @@ int UpnpSubscribe(
HandleUnlock();
retVal = genaSubscribe(Hnd, EvtUrl, TimeOut, SubsIdTmp);
strcpy(SubsId, UpnpString_get_String(SubsIdTmp));
memset(SubsId, 0, sizeof(Upnp_SID));
strncpy(SubsId, UpnpString_get_String(SubsIdTmp), sizeof(Upnp_SID) - 1);
exit_function:
UpnpPrintf(UPNP_ALL, API, __FILE__, __LINE__,
@@ -3327,7 +3332,9 @@ int UpnpGetIfInfo(const char *IfName)
(struct ifreq *)((caddr_t) ifConf.ifc_req + i);
i += sizeof *pifReq;
/* See if this is the sort of interface we want to deal with. */
strcpy(ifReq.ifr_name, pifReq->ifr_name);
memset(ifReq.ifr_name, 0, sizeof(ifReq.ifr_name));
strncpy(ifReq.ifr_name, pifReq->ifr_name,
sizeof(ifReq.ifr_name) - 1);
if (ioctl(LocalSock, SIOCGIFFLAGS, &ifReq) < 0) {
UpnpPrintf(UPNP_ALL, API, __FILE__, __LINE__,
"Can't get interface flags for %s:\n",
@@ -3766,7 +3773,9 @@ int getlocalhostname(char *out, size_t out_len)
(struct ifreq *)((caddr_t)ifConf.ifc_req + i);
i += sizeof *pifReq;
/* See if this is the sort of interface we want to deal with. */
strcpy(ifReq.ifr_name, pifReq->ifr_name);
memset(ifReq.ifr_name, 0, sizeof(ifReq.ifr_name));
strncpy(ifReq.ifr_name, pifReq->ifr_name,
sizeof(ifReq.ifr_name) - 1);
if (ioctl(LocalSock, SIOCGIFFLAGS, &ifReq) < 0) {
UpnpPrintf(UPNP_ALL, API, __FILE__, __LINE__,
"Can't get interface flags for %s:\n",
@@ -3846,6 +3855,7 @@ int UpnpAddVirtualDir(const char *newDirName)
virtualDirList *pCurVirtualDir;
char dirName[NAME_SIZE];
memset( dirName, 0, sizeof( dirName ) );
if( UpnpSdkInit != 1 ) {
/* SDK is not initialized */
return UPNP_E_FINISH;
@@ -3857,9 +3867,9 @@ int UpnpAddVirtualDir(const char *newDirName)
if( *newDirName != '/' ) {
dirName[0] = '/';
strcpy( dirName + 1, newDirName );
strncpy( dirName + 1, newDirName, sizeof( dirName ) - 1 );
} else {
strcpy( dirName, newDirName );
strncpy( dirName, newDirName, sizeof( dirName ) - 1 );
}
pCurVirtualDir = pVirtualDirList;
@@ -3878,7 +3888,9 @@ int UpnpAddVirtualDir(const char *newDirName)
return UPNP_E_OUTOF_MEMORY;
}
pNewVirtualDir->next = NULL;
strcpy( pNewVirtualDir->dirName, dirName );
memset( pNewVirtualDir->dirName, 0, sizeof( pNewVirtualDir->dirName ) );
strncpy( pNewVirtualDir->dirName, dirName,
sizeof( pNewVirtualDir->dirName ) - 1);
*( pNewVirtualDir->dirName + strlen( dirName ) ) = 0;
if( pVirtualDirList == NULL ) { /* first virtual dir */

11
upnp/src/api/upnptools.c
View File

@@ -2,6 +2,7 @@
*
* Copyright (c) 2000-2003 Intel Corporation
* All rights reserved.
* Copyright (c) 2012 France Telecom All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
@@ -218,13 +219,14 @@ static int addToAction(
if (ActBuff == NULL) {
return UPNP_E_OUTOF_MEMORY;
}
memset(ActBuff, 0, HEADER_LENGTH);
if (response) {
sprintf(ActBuff,
snprintf(ActBuff, HEADER_LENGTH - 1,
"<u:%sResponse xmlns:u=\"%s\">\r\n</u:%sResponse>",
ActionName, ServType, ActionName);
} else {
sprintf(ActBuff,
snprintf(ActBuff, HEADER_LENGTH - 1,
"<u:%s xmlns:u=\"%s\">\r\n</u:%s>",
ActionName, ServType, ActionName);
}
@@ -291,13 +293,14 @@ static IXML_Document *makeAction(
if (ActBuff == NULL) {
return NULL;
}
memset(ActBuff, 0, HEADER_LENGTH);
if (response) {
sprintf(ActBuff,
snprintf(ActBuff, HEADER_LENGTH - 1,
"<u:%sResponse xmlns:u=\"%s\">\r\n</u:%sResponse>",
ActionName, ServType, ActionName);
} else {
sprintf(ActBuff,
snprintf(ActBuff, HEADER_LENGTH - 1,
"<u:%s xmlns:u=\"%s\">\r\n</u:%s>",
ActionName, ServType, ActionName);
}

13
upnp/src/gena/gena_ctrlpt.c
View File

@@ -290,6 +290,7 @@ static int gena_subscribe(
uri_type dest_url;
http_parser_t response;
memset(timeout_str, 0, sizeof(timeout_str));
UpnpString_clear(sid);
/* request timeout to string */
@@ -297,11 +298,12 @@ static int gena_subscribe(
timeout = &local_timeout;
}
if (*timeout < 0) {
strcpy(timeout_str, "infinite");
strncpy(timeout_str, "infinite", sizeof(timeout_str) - 1);
} else if(*timeout < CP_MINIMUM_SUBSCRIPTION_TIME) {
sprintf(timeout_str, "%d", CP_MINIMUM_SUBSCRIPTION_TIME);
snprintf(timeout_str, sizeof(timeout_str) - 1,
"%d", CP_MINIMUM_SUBSCRIPTION_TIME);
} else {
sprintf(timeout_str, "%d", *timeout);
snprintf(timeout_str, sizeof(timeout_str) - 1, "%d", *timeout);
}
/* parse url */
@@ -519,6 +521,9 @@ int genaSubscribe(
UpnpString *EventURL = UpnpString_new();
struct Handle_Info *handle_info;
memset(temp_sid, 0, sizeof(temp_sid));
memset(temp_sid2, 0, sizeof(temp_sid2));
UpnpPrintf(UPNP_INFO, GENA, __FILE__, __LINE__, "GENA SUBSCRIBE BEGIN");
UpnpString_clear(out_sid);
@@ -551,7 +556,7 @@ int genaSubscribe(
/* generate client SID */
uuid_create(&uid );
uuid_unpack(&uid, temp_sid);
sprintf(temp_sid2, "uuid:%s", temp_sid);
snprintf(temp_sid2, sizeof(temp_sid2) - 1, "uuid:%s", temp_sid);
UpnpString_set_String(out_sid, temp_sid2);
/* create event url */

34
upnp/src/gena/gena_device.c
View File

@@ -493,8 +493,10 @@ int genaInitNotify(
goto ExitFunction;
}
strcpy(UDN_copy, UDN);
strcpy(servId_copy, servId);
memset(UDN_copy, 0, strlen(UDN) + 1);
strncpy(UDN_copy, UDN, strlen(UDN));
memset(servId_copy, 0, strlen(servId) + 1);
strncpy(servId_copy, servId, strlen(servId));
HandleLock();
@@ -650,8 +652,10 @@ int genaInitNotifyExt(
goto ExitFunction;
}
strcpy(UDN_copy, UDN);
strcpy(servId_copy, servId);
memset(UDN_copy, 0, strlen(UDN) + 1);
strncpy(UDN_copy, UDN, strlen(UDN));
memset(servId_copy, 0, strlen(servId) + 1);
strncpy(servId_copy, servId, strlen(servId));
HandleLock();
@@ -807,8 +811,10 @@ int genaNotifyAllExt(
goto ExitFunction;
}
strcpy(UDN_copy, UDN);
strcpy(servId_copy, servId);
memset(UDN_copy, 0, strlen(UDN) + 1);
strncpy(UDN_copy, UDN, strlen(UDN));
memset(servId_copy, 0, strlen(servId) + 1);
strncpy(servId_copy, servId, strlen(servId));
propertySet = ixmlPrintNode((IXML_Node *)PropSet);
if (propertySet == NULL) {
@@ -951,8 +957,10 @@ int genaNotifyAll(
goto ExitFunction;
}
strcpy(UDN_copy, UDN);
strcpy(servId_copy, servId);
memset(UDN_copy, 0, strlen(UDN) + 1);
strncpy(UDN_copy, UDN, strlen(UDN));
memset(servId_copy, 0, strlen(servId) + 1);
strncpy(servId_copy, servId, strlen(servId));
ret = GeneratePropertySet(VarNames, VarValues, var_count, &propertySet);
if (ret != XML_SUCCESS) {
@@ -1067,13 +1075,16 @@ static int respond_ok(
char timeout_str[100];
int upnp_timeout = UPNP_TIMEOUT;
memset( timeout_str, 0, sizeof( timeout_str ) );
http_CalcResponseVersion( request->major_version,
request->minor_version, &major, &minor );
if( time_out >= 0 ) {
sprintf( timeout_str, "TIMEOUT: Second-%d", time_out );
snprintf( timeout_str, sizeof ( timeout_str ) - 1,
"TIMEOUT: Second-%d", time_out );
} else {
strcpy( timeout_str, "TIMEOUT: Second-infinite" );
strncpy( timeout_str, "TIMEOUT: Second-infinite",
sizeof ( timeout_str ) - 1 );
}
membuffer_init( &response );
@@ -1337,7 +1348,8 @@ void gena_process_subscription_request(
/* generate SID */
uuid_create(&uid);
uuid_unpack(&uid, temp_sid);
sprintf(sub->sid, "uuid:%s", temp_sid);
memset(sub->sid, 0, sizeof(sub->sid));
snprintf(sub->sid, sizeof(sub->sid) - 1, "uuid:%s", temp_sid);
/* respond OK */
if (respond_ok(info, time_out, sub, request) != UPNP_E_SUCCESS) {

35
upnp/src/genlib/net/http/httpreadwrite.c
View File

@@ -370,6 +370,7 @@ int http_SendMessage(SOCKINFO *info, int *TimeOut, const char *fmt, ...)
/* 10 byte allocated for chunk header. */
size_t Data_Buf_Size = WEB_SERVER_BUF_SIZE;
memset(Chunk_Header, 0, sizeof(Chunk_Header));
va_start(argp, fmt);
while ((c = *fmt++) != 0) {
if (c == 'I') {
@@ -447,9 +448,13 @@ int http_SendMessage(SOCKINFO *info, int *TimeOut, const char *fmt, ...)
/* Copy CRLF at the end of the chunk */
memcpy(file_buf + num_read, "\r\n", 2);
/* Hex length for the chunk size. */
sprintf(Chunk_Header, "%" PRIzx, num_read);
memset(Chunk_Header, 0,
sizeof(Chunk_Header));
snprintf(Chunk_Header,
sizeof(Chunk_Header) - strlen ("\r\n") - 1,
"%" PRIzx, num_read);
/*itoa(num_read,Chunk_Header,16); */
strcat(Chunk_Header, "\r\n");
strncat(Chunk_Header, "\r\n", strlen ("\r\n"));
/* Copy the chunk size header */
memcpy(file_buf - strlen(Chunk_Header),
Chunk_Header,
@@ -636,7 +641,8 @@ int http_Download( IN const char *url_str,
return ret_code;
/* make msg */
membuffer_init(&request);
strcpy(urlPath, url_str);
memset(urlPath, 0, strlen(url_str) + 1);
strncpy(urlPath, url_str, strlen(url_str));
hoststr = strstr(urlPath, "//");
if (hoststr == NULL)
return UPNP_E_INVALID_URL;
@@ -761,7 +767,8 @@ int MakePostMessage(const char *url_str, membuffer *request,
return ret_code;
/* make msg */
membuffer_init(request);
strcpy(urlPath, url_str);
memset(urlPath, 0, strlen(url_str) + 1);
strncpy(urlPath, url_str, strlen(url_str));
hoststr = strstr(urlPath, "//");
if (hoststr == NULL)
return UPNP_E_INVALID_URL;
@@ -1047,7 +1054,8 @@ int MakeGetMessage(const char *url_str, const char *proxy_str,
return ret_code;
/* make msg */
membuffer_init(request);
strcpy(urlPath, url_str);
memset(urlPath, 0, strlen(url_str) + 1);
strncpy(urlPath, url_str, strlen(url_str));
hoststr = strstr(urlPath, "//");
if (hoststr == NULL)
return UPNP_E_INVALID_URL;
@@ -1585,6 +1593,7 @@ int http_MakeMessage(membuffer *buf, int http_major_version,
const char *month_str = "Jan\0Feb\0Mar\0Apr\0May\0Jun\0"
"Jul\0Aug\0Sep\0Oct\0Nov\0Dec";
memset(tempbuf, 0, sizeof(tempbuf));
va_start(argp, fmt);
while ((c = *fmt++) != 0) {
if (c == 's') {
@@ -1626,13 +1635,14 @@ int http_MakeMessage(membuffer *buf, int http_major_version,
} else if (c == 'd') {
/* integer */
num = (size_t)va_arg(argp, int);
sprintf(tempbuf, "%" PRIzu, num);
snprintf(tempbuf, sizeof(tempbuf) - 1, "%" PRIzu, num);
if (membuffer_append(buf, tempbuf, strlen(tempbuf)))
goto error_handler;
} else if (c == 'h') {
/* off_t */
bignum = (off_t) va_arg(argp, off_t);
sprintf(tempbuf, "%" PRId64, (int64_t) bignum);
snprintf(tempbuf, sizeof(tempbuf) - 1, "%" PRId64,
(int64_t) bignum);
if (membuffer_append(buf, tempbuf, strlen(tempbuf)))
goto error_handler;
} else if (c == 't' || c == 'D') {
@@ -1650,7 +1660,7 @@ int http_MakeMessage(membuffer *buf, int http_major_version,
}
assert(loc_time);
date = gmtime(loc_time);
sprintf(tempbuf,
snprintf(tempbuf, sizeof(tempbuf) - 1,
"%s%s, %02d %s %d %02d:%02d:%02d GMT%s",
start_str, &weekday_str[date->tm_wday * 4],
date->tm_mday, &month_str[date->tm_mon * 4],
@@ -1707,7 +1717,7 @@ int http_MakeMessage(membuffer *buf, int http_major_version,
/* e.g.: 'HTTP/1.1 200 OK' code */
status_code = (int)va_arg(argp, int);
assert(status_code > 0);
sprintf(tempbuf, "HTTP/%d.%d %d ",
snprintf(tempbuf, sizeof(tempbuf) - 1, "HTTP/%d.%d %d ",
http_major_version, http_minor_version,
status_code);
/* str */
@@ -1718,7 +1728,7 @@ int http_MakeMessage(membuffer *buf, int http_major_version,
} else if (c == 'B') {
/* body of a simple reply */
status_code = (int)va_arg(argp, int);
sprintf(tempbuf, "%s%d %s%s",
snprintf(tempbuf, sizeof(tempbuf) - 1, "%s%d %s%s",
"<html><body><h1>",
status_code, http_get_code_text(status_code),
"</h1></body></html>");
@@ -1853,7 +1863,7 @@ int MakeGetMessageEx( const char *url_str,
break;
}
memset(urlPath, 0, strlen(url_str) + 1);
strcpy(urlPath, url_str);
strncpy(urlPath, url_str, strlen(url_str));
hoststr = strstr(urlPath, "//");
if (hoststr == NULL) {
errCode = UPNP_E_INVALID_URL;
@@ -1957,7 +1967,8 @@ int http_OpenHttpGetEx(
break;
}
memset(&rangeBuf, 0, sizeof(rangeBuf));
sprintf(rangeBuf.RangeHeader,
snprintf(rangeBuf.RangeHeader,
sizeof(rangeBuf.RangeHeader) - 1,
"Range: bytes=%d-%d\r\n", lowRange, highRange);
membuffer_init(&request);
errCode = MakeGetMessageEx(url_str, &request, &url, &rangeBuf);

19
upnp/src/genlib/net/http/webserver.c
View File

@@ -316,6 +316,7 @@ static UPNP_INLINE int get_content_type(
temp = malloc(length);
if (!temp)
return UPNP_E_OUTOF_MEMORY;
memset(temp, 0, length);
sprintf(temp, "%s/%s", type, subtype);
(*content_type) = ixmlCloneDOMString(temp);
free(temp);
@@ -769,7 +770,8 @@ static int CreateHTTPRangeResponseHeader(
RangeInput = malloc(strlen(ByteRangeSpecifier) + 1);
if (!RangeInput)
return UPNP_E_OUTOF_MEMORY;
strcpy(RangeInput, ByteRangeSpecifier);
memset(RangeInput, 0, strlen(ByteRangeSpecifier) + 1);
strncpy(RangeInput, ByteRangeSpecifier, strlen(ByteRangeSpecifier));
/* CONTENT-RANGE: bytes 222-3333/4000 HTTP_PARTIAL_CONTENT */
if (StrStr(RangeInput, "bytes") == NULL ||
(Ptr = StrStr(RangeInput, "=")) == NULL) {
@@ -788,13 +790,15 @@ static int CreateHTTPRangeResponseHeader(
free(RangeInput);
return HTTP_REQUEST_RANGE_NOT_SATISFIABLE;
}
memset(Instr->RangeHeader, 0, sizeof(Instr->RangeHeader));
if (FirstByte >= 0 && LastByte >= 0 && LastByte >= FirstByte) {
if (LastByte >= FileLength)
LastByte = FileLength - 1;
Instr->RangeOffset = FirstByte;
Instr->ReadSendSize = LastByte - FirstByte + 1;
/* Data between two range. */
sprintf(Instr->RangeHeader,
snprintf(Instr->RangeHeader,
sizeof(Instr->RangeHeader) - 1,
"CONTENT-RANGE: bytes %" PRId64
"-%" PRId64 "/%" PRId64 "\r\n",
(int64_t)FirstByte,
@@ -804,7 +808,10 @@ static int CreateHTTPRangeResponseHeader(
&& FirstByte < FileLength) {
Instr->RangeOffset = FirstByte;
Instr->ReadSendSize = FileLength - FirstByte;
sprintf(Instr->RangeHeader,
memset(Instr->RangeHeader, 0,
sizeof(Instr->RangeHeader));
snprintf(Instr->RangeHeader,
sizeof(Instr->RangeHeader) - 1,
"CONTENT-RANGE: bytes %" PRId64
"-%" PRId64 "/%" PRId64 "\r\n",
(int64_t)FirstByte,
@@ -814,7 +821,8 @@ static int CreateHTTPRangeResponseHeader(
if (LastByte >= FileLength) {
Instr->RangeOffset = 0;
Instr->ReadSendSize = FileLength;
sprintf(Instr->RangeHeader,
snprintf(Instr->RangeHeader,
sizeof(Instr->RangeHeader) - 1,
"CONTENT-RANGE: bytes 0-%" PRId64
"/%" PRId64 "\r\n",
(int64_t)(FileLength - 1),
@@ -822,7 +830,8 @@ static int CreateHTTPRangeResponseHeader(
} else {
Instr->RangeOffset = FileLength - LastByte;
Instr->ReadSendSize = LastByte;
sprintf(Instr->RangeHeader,
snprintf(Instr->RangeHeader,
sizeof(Instr->RangeHeader) - 1,
"CONTENT-RANGE: bytes %" PRId64
"-%" PRId64 "/%" PRId64 "\r\n",
(int64_t)(FileLength - LastByte + 1),

12
upnp/src/genlib/net/uri/uri.c
View File

@@ -2,6 +2,7 @@
*
* Copyright (c) 2000-2003 Intel Corporation
* All rights reserved.
* Copyright (c) 2012 France Telecom All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
@@ -587,12 +588,13 @@ char *resolve_rel_url(char *base_url, char *rel_url)
if( out == NULL ) {
return NULL;
}
memset( out, 0, strlen( base_url ) + strlen( rel_url ) + 2 );
if( ( parse_uri( rel_url, strlen( rel_url ), &rel ) ) == HTTP_SUCCESS ) {
if( rel.type == ABSOLUTE ) {
strcpy( out, rel_url );
strncpy( out, rel_url, strlen ( rel_url ) );
} else {
if( ( parse_uri( base_url, strlen( base_url ), &base ) ==
@@ -600,7 +602,7 @@ char *resolve_rel_url(char *base_url, char *rel_url)
&& ( base.type == ABSOLUTE ) ) {
if( strlen( rel_url ) == 0 ) {
strcpy( out, base_url );
strncpy( out, base_url, strlen ( base_url ) );
} else {
memcpy( out, base.scheme.buff, base.scheme.size );
out_finger += base.scheme.size;
@@ -608,7 +610,7 @@ char *resolve_rel_url(char *base_url, char *rel_url)
out_finger++;
if( rel.hostport.text.size > 0 ) {
sprintf( out_finger, "%s", rel_url );
snprintf( out_finger, strlen( rel_url ), "%s", rel_url );
} else {
if( base.hostport.text.size > 0 ) {
memcpy( out_finger, "//", 2 );
@@ -619,7 +621,7 @@ char *resolve_rel_url(char *base_url, char *rel_url)
}
if( rel.path_type == ABS_PATH ) {
strcpy( out_finger, rel_url );
strncpy( out_finger, rel_url, strlen ( rel_url ) );
} else {
@@ -640,7 +642,7 @@ char *resolve_rel_url(char *base_url, char *rel_url)
finger++;
}
strcpy( last_slash, rel_url );
strncpy( last_slash, rel_url, strlen ( rel_url ) );
if( remove_dots( out_finger,
strlen( out_finger ) ) !=
UPNP_E_SUCCESS ) {

3
upnp/src/soap/soap_device.c
View File

@@ -193,7 +193,8 @@ static void send_error_response(
char err_code_str[30];
membuffer headers;
sprintf(err_code_str, "%d", error_code);
memset(err_code_str, 0, sizeof(err_code_str));
snprintf(err_code_str, sizeof(err_code_str) - 1, "%d", error_code);
/* calc body len */
content_length = (off_t) (strlen(start_body) + strlen(err_code_str) +
strlen(mid_body) + strlen(err_msg) +

26
upnp/src/ssdp/ssdp_ctrlpt.c
View File

@@ -319,24 +319,27 @@ static void CreateClientRequestPacket(
{
char TempBuf[COMMAND_LEN];
memset(TempBuf, 0, sizeof(TempBuf));
strcpy(RqstBuf, "M-SEARCH * HTTP/1.1\r\n");
if (AddressFamily == AF_INET) {
sprintf(TempBuf, "HOST: %s:%d\r\n", SSDP_IP, SSDP_PORT);
snprintf(TempBuf, sizeof(TempBuf) - 1, "HOST: %s:%d\r\n",
SSDP_IP, SSDP_PORT);
} else if (AddressFamily == AF_INET6) {
sprintf(TempBuf, "HOST: [%s]:%d\r\n", SSDP_IPV6_LINKLOCAL,
SSDP_PORT);
snprintf(TempBuf, sizeof(TempBuf) - 1, "HOST: [%s]:%d\r\n",
SSDP_IPV6_LINKLOCAL, SSDP_PORT);
}
strcat(RqstBuf, TempBuf);
strcat(RqstBuf, "MAN: \"ssdp:discover\"\r\n");
if (Mx > 0) {
sprintf(TempBuf, "MX: %d\r\n", Mx);
snprintf(TempBuf, sizeof(TempBuf) - 1, "MX: %d\r\n", Mx);
strcat(RqstBuf, TempBuf);
}
if (SearchTarget != NULL) {
sprintf(TempBuf, "ST: %s\r\n", SearchTarget);
snprintf(TempBuf, sizeof(TempBuf) - 1, "ST: %s\r\n",
SearchTarget);
strcat(RqstBuf, TempBuf);
}
strcat(RqstBuf, "\r\n");
@@ -357,21 +360,24 @@ static void CreateClientRequestPacketUlaGua(
{
char TempBuf[COMMAND_LEN];
memset(TempBuf, 0, sizeof(TempBuf));
strcpy(RqstBuf, "M-SEARCH * HTTP/1.1\r\n");
if (AddressFamily == AF_INET) {
sprintf(TempBuf, "HOST: %s:%d\r\n", SSDP_IP, SSDP_PORT);
snprintf(TempBuf, sizeof(TempBuf) - 1, "HOST: %s:%d\r\n",
SSDP_IP, SSDP_PORT);
} else if (AddressFamily == AF_INET6) {
sprintf(TempBuf, "HOST: [%s]:%d\r\n", SSDP_IPV6_SITELOCAL,
SSDP_PORT);
snprintf(TempBuf, sizeof(TempBuf) - 1, "HOST: [%s]:%d\r\n",
SSDP_IPV6_SITELOCAL, SSDP_PORT);
}
strcat(RqstBuf, TempBuf);
strcat(RqstBuf, "MAN: \"ssdp:discover\"\r\n");
if (Mx > 0) {
sprintf(TempBuf, "MX: %d\r\n", Mx);
snprintf(TempBuf, sizeof(TempBuf) - 1, "MX: %d\r\n", Mx);
strcat(RqstBuf, TempBuf);
}
if (SearchTarget) {
sprintf(TempBuf, "ST: %s\r\n", SearchTarget);
snprintf(TempBuf, sizeof(TempBuf) - 1, "ST: %s\r\n",
SearchTarget);
strcat(RqstBuf, TempBuf);
}
strcat(RqstBuf, "\r\n");

43
upnp/src/ssdp/ssdp_device.c
View File

@@ -440,6 +440,7 @@ int DeviceAdvertisement(char *DevType, int RootDev, char *Udn, char *Location,
UpnpPrintf(UPNP_INFO, SSDP, __FILE__, __LINE__,
"In function DeviceAdvertisement\n");
memset(&__ss, 0, sizeof(__ss));
memset(Mil_Usn, 0, sizeof(Mil_Usn));
if (AddressFamily == AF_INET) {
DestAddr4->sin_family = AF_INET;
inet_pton(AF_INET, SSDP_IP, &DestAddr4->sin_addr);
@@ -461,7 +462,8 @@ int DeviceAdvertisement(char *DevType, int RootDev, char *Udn, char *Location,
/* If deviceis a root device , here we need to send 3 advertisement
* or reply */
if (RootDev) {
sprintf(Mil_Usn, "%s::upnp:rootdevice", Udn);
snprintf(Mil_Usn, sizeof(Mil_Usn) - 1,
"%s::upnp:rootdevice", Udn);
CreateServicePacket(MSGTYPE_ADVERTISEMENT, "upnp:rootdevice",
Mil_Usn, Location, Duration, &msgs[0],
AddressFamily, PowerState, SleepPeriod,
@@ -471,7 +473,7 @@ int DeviceAdvertisement(char *DevType, int RootDev, char *Udn, char *Location,
CreateServicePacket(MSGTYPE_ADVERTISEMENT, Udn, Udn,
Location, Duration, &msgs[1], AddressFamily,
PowerState, SleepPeriod, RegistrationState);
sprintf(Mil_Usn, "%s::%s", Udn, DevType);
snprintf(Mil_Usn, sizeof(Mil_Usn) - 1, "%s::%s", Udn, DevType);
CreateServicePacket(MSGTYPE_ADVERTISEMENT, DevType, Mil_Usn,
Location, Duration, &msgs[2], AddressFamily,
PowerState, SleepPeriod, RegistrationState);
@@ -513,11 +515,13 @@ int SendReply(struct sockaddr *DestAddr, char *DevType, int RootDev,
msgs[0] = NULL;
msgs[1] = NULL;
memset(Mil_Usn, 0, sizeof(Mil_Usn));
if (RootDev) {
/* one msg for root device */
num_msgs = 1;
sprintf(Mil_Usn, "%s::upnp:rootdevice", Udn);
snprintf(Mil_Usn, sizeof(Mil_Usn) - 1, "%s::upnp:rootdevice",
Udn);
CreateServicePacket(MSGTYPE_REPLY, "upnp:rootdevice",
Mil_Usn, Location, Duration, &msgs[0],
DestAddr->sa_family, PowerState,
@@ -533,7 +537,8 @@ int SendReply(struct sockaddr *DestAddr, char *DevType, int RootDev,
DestAddr->sa_family, PowerState,
SleepPeriod, RegistrationState);
} else {
sprintf(Mil_Usn, "%s::%s", Udn, DevType);
snprintf(Mil_Usn, sizeof(Mil_Usn) - 1, "%s::%s", Udn,
DevType);
CreateServicePacket(MSGTYPE_REPLY, DevType, Mil_Usn,
Location, Duration, &msgs[0],
DestAddr->sa_family, PowerState,
@@ -567,23 +572,26 @@ int DeviceReply(struct sockaddr *DestAddr, char *DevType, int RootDev,
szReq[0] = NULL;
szReq[1] = NULL;
szReq[2] = NULL;
memset(Mil_Nt, 0, sizeof(Mil_Nt));
memset(Mil_Usn, 0, sizeof(Mil_Usn));
/* create 2 or 3 msgs */
if (RootDev) {
/* 3 replies for root device */
strcpy(Mil_Nt, "upnp:rootdevice");
sprintf(Mil_Usn, "%s::upnp:rootdevice", Udn);
strncpy(Mil_Nt, "upnp:rootdevice", sizeof(Mil_Nt) - 1);
snprintf(Mil_Usn, sizeof(Mil_Usn) - 1, "%s::upnp:rootdevice",
Udn);
CreateServicePacket(MSGTYPE_REPLY, Mil_Nt, Mil_Usn,
Location, Duration, &szReq[0],
DestAddr->sa_family, PowerState,
SleepPeriod, RegistrationState);
}
sprintf(Mil_Nt, "%s", Udn);
sprintf(Mil_Usn, "%s", Udn);
snprintf(Mil_Nt, sizeof(Mil_Nt) - 1, "%s", Udn);
snprintf(Mil_Usn, sizeof(Mil_Usn) - 1, "%s", Udn);
CreateServicePacket(MSGTYPE_REPLY, Mil_Nt, Mil_Usn,
Location, Duration, &szReq[1], DestAddr->sa_family,
PowerState, SleepPeriod, RegistrationState);
sprintf(Mil_Nt, "%s", DevType);
sprintf(Mil_Usn, "%s::%s", Udn, DevType);
snprintf(Mil_Nt, sizeof(Mil_Nt) - 1, "%s", DevType);
snprintf(Mil_Usn, sizeof(Mil_Usn) - 1, "%s::%s", Udn, DevType);
CreateServicePacket(MSGTYPE_REPLY, Mil_Nt, Mil_Usn,
Location, Duration, &szReq[2], DestAddr->sa_family,
PowerState, SleepPeriod, RegistrationState);
@@ -621,6 +629,7 @@ int ServiceAdvertisement(char *Udn, char *ServType, char *Location,
struct sockaddr_in6 *DestAddr6 = (struct sockaddr_in6 *)&__ss;
memset(&__ss, 0, sizeof(__ss));
memset(Mil_Usn, 0, sizeof(Mil_Usn));
if (AddressFamily == AF_INET) {
DestAddr4->sin_family = AF_INET;
inet_pton(AF_INET, SSDP_IP, &DestAddr4->sin_addr);
@@ -636,7 +645,7 @@ int ServiceAdvertisement(char *Udn, char *ServType, char *Location,
UpnpPrintf(UPNP_CRITICAL, SSDP, __FILE__, __LINE__,
"Invalid device address family.\n");
}
sprintf(Mil_Usn, "%s::%s", Udn, ServType);
snprintf(Mil_Usn, sizeof(Mil_Usn) - 1,"%s::%s", Udn, ServType);
/* CreateServiceRequestPacket(1,szReq[0],Mil_Nt,Mil_Usn,
* Server,Location,Duration); */
CreateServicePacket(MSGTYPE_ADVERTISEMENT, ServType, Mil_Usn,
@@ -659,8 +668,9 @@ int ServiceReply(struct sockaddr *DestAddr, char *ServType, char *Udn,
char *szReq[1];
int RetVal;
memset(Mil_Usn, 0, sizeof(Mil_Usn));
szReq[0] = NULL;
sprintf(Mil_Usn, "%s::%s", Udn, ServType);
snprintf(Mil_Usn, sizeof(Mil_Usn) - 1, "%s::%s", Udn, ServType);
CreateServicePacket(MSGTYPE_REPLY, ServType, Mil_Usn,
Location, Duration, &szReq[0], DestAddr->sa_family,
PowerState, SleepPeriod, RegistrationState);
@@ -684,6 +694,7 @@ int ServiceShutdown(char *Udn, char *ServType, char *Location, int Duration,
int RetVal = UPNP_E_SUCCESS;
memset(&__ss, 0, sizeof(__ss));
memset(Mil_Usn, 0, sizeof(Mil_Usn));
if (AddressFamily == AF_INET) {
DestAddr4->sin_family = AF_INET;
inet_pton(AF_INET, SSDP_IP, &DestAddr4->sin_addr);
@@ -700,7 +711,7 @@ int ServiceShutdown(char *Udn, char *ServType, char *Location, int Duration,
"Invalid device address family.\n");
}
/* sprintf(Mil_Nt,"%s",ServType); */
sprintf(Mil_Usn, "%s::%s", Udn, ServType);
snprintf(Mil_Usn, sizeof(Mil_Usn) - 1, "%s::%s", Udn, ServType);
/* CreateServiceRequestPacket(0,szReq[0],Mil_Nt,Mil_Usn,
* Server,Location,Duration); */
CreateServicePacket(MSGTYPE_SHUTDOWN, ServType, Mil_Usn,
@@ -729,6 +740,7 @@ int DeviceShutdown(char *DevType, int RootDev, char *Udn, char *_Server,
msgs[1] = NULL;
msgs[2] = NULL;
memset(&__ss, 0, sizeof(__ss));
memset(Mil_Usn, 0, sizeof(Mil_Usn));
if (AddressFamily == AF_INET) {
DestAddr4->sin_family = AF_INET;
inet_pton(AF_INET, SSDP_IP, &DestAddr4->sin_addr);
@@ -746,7 +758,8 @@ int DeviceShutdown(char *DevType, int RootDev, char *Udn, char *_Server,
}
/* root device has one extra msg */
if (RootDev) {
sprintf(Mil_Usn, "%s::upnp:rootdevice", Udn);
snprintf(Mil_Usn, sizeof(Mil_Usn) - 1, "%s::upnp:rootdevice",
Udn);
CreateServicePacket(MSGTYPE_SHUTDOWN, "upnp:rootdevice",
Mil_Usn, Location, Duration, &msgs[0],
AddressFamily, PowerState, SleepPeriod,
@@ -758,7 +771,7 @@ int DeviceShutdown(char *DevType, int RootDev, char *Udn, char *_Server,
CreateServicePacket(MSGTYPE_SHUTDOWN, Udn, Udn,
Location, Duration, &msgs[1], AddressFamily,
PowerState, SleepPeriod, RegistrationState);
sprintf(Mil_Usn, "%s::%s", Udn, DevType);
snprintf(Mil_Usn, sizeof(Mil_Usn) - 1, "%s::%s", Udn, DevType);
CreateServicePacket(MSGTYPE_SHUTDOWN, DevType, Mil_Usn,
Location, Duration, &msgs[2], AddressFamily,
PowerState, SleepPeriod, RegistrationState);

11
upnp/src/ssdp/ssdp_server.c
View File

@@ -467,8 +467,11 @@ int unique_service_name(char *cmd, SsdpEvent *Evt)
ptr3 = strstr(ptr2 + 1, ":");
else
return -1;
if (ptr3 != NULL)
sprintf(Evt->UDN, "uuid:%s", ptr3 + 1);
if (ptr3 != NULL) {
memset(Evt->UDN, 0, sizeof(Evt->UDN));
snprintf(Evt->UDN, sizeof(Evt->UDN) - 1,
"uuid:%s", ptr3 + 1);
}
else
return -1;
ptr1 = strstr(cmd, ":");
@@ -476,7 +479,9 @@ int unique_service_name(char *cmd, SsdpEvent *Evt)
n = (size_t) (ptr3 - ptr1);
strncpy(TempBuf, ptr1, n);
TempBuf[n] = '\0';
sprintf(Evt->DeviceType, "urn%s", TempBuf);
memset(Evt->DeviceType, 0, sizeof(Evt->DeviceType));
snprintf(Evt->DeviceType, sizeof(Evt->DeviceType) - 1,
"urn%s", TempBuf);
} else
return -1;
return 0;

14
upnp/src/urlconfig/urlconfig.c
View File

@@ -133,9 +133,10 @@ static UPNP_INLINE int calc_alias(
alias_temp = malloc(new_alias_len + 1);
if (alias_temp == NULL)
return UPNP_E_OUTOF_MEMORY;
strcpy(alias_temp, rootPath);
strcat(alias_temp, temp_str);
strcat(alias_temp, aliasPtr);
memset(alias_temp, 0, new_alias_len + 1);
strncpy(alias_temp, rootPath, root_len);
strncat(alias_temp, temp_str, strlen(temp_str));
strncat(alias_temp, aliasPtr, strlen(aliasPtr));
*newAlias = alias_temp;
return UPNP_E_SUCCESS;
@@ -173,9 +174,10 @@ static UPNP_INLINE int calc_descURL(
len = strlen(http_scheme) + strlen(ipPortStr) + strlen(alias);
if (len > (LINE_SIZE - 1))
return UPNP_E_URL_TOO_BIG;
strcpy(descURL, http_scheme);
strcat(descURL, ipPortStr);
strcat(descURL, alias);
strncpy(descURL, http_scheme, strlen(http_scheme));
strncat(descURL, ipPortStr, strlen(ipPortStr));
strncat(descURL, alias, strlen(alias));
descURL[len] = '\0';
UpnpPrintf(UPNP_INFO, API, __FILE__, __LINE__,
"desc url: %s\n", descURL);