generic-library/libupnp
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Replace sprintf by snprintf in http_WriteHttpPost

Browse Source 
Replace sprintf by snprintf in http_WriteHttpPost to avoid buffer
overflow.
This commit is contained in:
Fabrice Fontaine 2012-03-18 16:14:41 +01:00
parent e13ffe3bf8
commit a04c36f47e
2 changed files with 11 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
ChangeLog
View File

@ -2,6 +2,13 @@
Version 1.6.16 Version 1.6.16
******************************************************************************* *******************************************************************************
2012-03-18 Fabrice Fontaine <fabrice.fontaine(at)orange.com>
Replace sprintf by snprintf in http_WriteHttpPost
Replace sprintf by snprintf in http_WriteHttpPost to avoid buffer
overflow.
2012-03-18 Fabrice Fontaine <fabrice.fontaine(at)orange.com> 2012-03-18 Fabrice Fontaine <fabrice.fontaine(at)orange.com>
Add infoSize parameter to get_sdk_info Add infoSize parameter to get_sdk_info

8
upnp/src/genlib/net/http/httpreadwrite.c
View File

@ -875,13 +875,13 @@ int http_WriteHttpPost( IN void *Handle,
} }
if (handle->contentLength == UPNP_USING_CHUNKED) { if (handle->contentLength == UPNP_USING_CHUNKED) {
if (*size) { if (*size) {
size_t tempSize = (size_t)0; size_t tempSize = *size +
tempbuf = malloc(*size + CHUNK_HEADER_SIZE + CHUNK_TAIL_SIZE;
CHUNK_HEADER_SIZE + CHUNK_TAIL_SIZE); tempbuf = malloc(tempSize);
if (!tempbuf) if (!tempbuf)
return UPNP_E_OUTOF_MEMORY; return UPNP_E_OUTOF_MEMORY;
/* begin chunk */ /* begin chunk */
sprintf(tempbuf, "%" PRIzx "\r\n", *size); snprintf(tempbuf, tempSize, "%" PRIzx "\r\n", *size);
tempSize = strlen(tempbuf); tempSize = strlen(tempbuf);
memcpy(tempbuf + tempSize, buf, *size); memcpy(tempbuf + tempSize, buf, *size);
memcpy(tempbuf + tempSize + *size, "\r\n", (size_t)2); memcpy(tempbuf + tempSize + *size, "\r\n", (size_t)2);