Do not clear buffer before snprintf.

It had no effect since snprintf can overwrite whole buffer.
2012-03-11 01:04:24 +09:00 · 2012-03-11 01:04:24 +09:00 · a0dc3482dc
commit a0dc3482dc
parent 87d1d3c3ec
6 changed files with 8 additions and 12 deletions
--- a/6
+++ b/6
@ -2,6 +2,12 @@
 Version 1.6.16
 *******************************************************************************

+2012-03-10 Yoichi NAKAYAMA <yoichi.nakayama(at)gmail.com>
+
+	Further measures against buffer overflows.
+
+	Do not clear buffer before snprintf.
+
 2012-03-10 Yoichi NAKAYAMA <yoichi.nakayama(at)gmail.com>

 	Handle allocation error in strndup to avoid access violation.
--- a/upnp/src/api/upnptools.c
+++ b/upnp/src/api/upnptools.c
@ -222,7 +222,6 @@ static int addToAction(
 		if (ActBuff == NULL) {
 			return UPNP_E_OUTOF_MEMORY;
 		}
-		memset(ActBuff, 0, HEADER_LENGTH);

 		if (response) {
 			rc = snprintf(ActBuff, HEADER_LENGTH,
@ -301,7 +300,6 @@ static IXML_Document *makeAction(
 	if (ActBuff == NULL) {
 		return NULL;
 	}
-	memset(ActBuff, 0, HEADER_LENGTH);

 	if (response) {
 		rc = snprintf(ActBuff, HEADER_LENGTH,
--- a/upnp/src/gena/gena_ctrlpt.c
+++ b/upnp/src/gena/gena_ctrlpt.c
@ -294,7 +294,6 @@ static int gena_subscribe(
 	http_parser_t response;
 	int rc = 0;

-	memset(timeout_str, 0, sizeof(timeout_str));
 	UpnpString_clear(sid);

 	/* request timeout to string */
@ -302,6 +301,7 @@ static int gena_subscribe(
 		timeout = &local_timeout;
 	}
 	if (*timeout < 0) {
+		memset(timeout_str, 0, sizeof(timeout_str));
 		strncpy(timeout_str, "infinite", sizeof(timeout_str) - 1);
 	} else if(*timeout < CP_MINIMUM_SUBSCRIPTION_TIME) {
 		rc = snprintf(timeout_str, sizeof(timeout_str),
--- a/upnp/src/gena/gena_device.c
+++ b/upnp/src/gena/gena_device.c
@ -430,7 +430,6 @@ static char *AllocGenaHeaders(
 		line = __LINE__;
 		goto ExitFunction;
 	}
-	memset(headers, 0, headers_size);
 	rc = snprintf(headers, headers_size, "%s%s%"PRIzu"%s%s%s",
 		HEADER_LINE_1,
 		HEADER_LINE_2A,
@ -1082,7 +1081,6 @@ static int respond_ok(
    int upnp_timeout = UPNP_TIMEOUT;
    int rc = 0;

-    memset( timeout_str, 0, sizeof( timeout_str ) );
    http_CalcResponseVersion( request->major_version,
                              request->minor_version, &major, &minor );

@ -1090,6 +1088,7 @@ static int respond_ok(
        rc = snprintf( timeout_str, sizeof ( timeout_str ),
                       "TIMEOUT: Second-%d", time_out );
    } else {
+        memset( timeout_str, 0, sizeof( timeout_str ) );
        strncpy( timeout_str, "TIMEOUT: Second-infinite",
                 sizeof ( timeout_str ) - 1);
    }
@ -1360,7 +1359,6 @@ void gena_process_subscription_request(
 	/* generate SID */
 	uuid_create(&uid);
 	uuid_unpack(&uid, temp_sid);
-	memset(sub->sid, 0, sizeof(sub->sid));
 	rc = snprintf(sub->sid, sizeof(sub->sid), "uuid:%s", temp_sid);

 	/* respond OK */
--- a/upnp/src/genlib/net/http/webserver.c
+++ b/upnp/src/genlib/net/http/webserver.c
@ -323,7 +323,6 @@ static UPNP_INLINE int get_content_type(
 	temp = malloc(length);
 	if (!temp)
 		return UPNP_E_OUTOF_MEMORY;
-	memset(temp, 0, length);
 	rc = snprintf(temp, length, "%s/%s", type, subtype);
 	if (rc < 0 || (unsigned int) rc >= length) {
 		free(temp);
@ -802,7 +801,6 @@ static int CreateHTTPRangeResponseHeader(
 			free(RangeInput);
 			return HTTP_REQUEST_RANGE_NOT_SATISFIABLE;
 		}
-		memset(Instr->RangeHeader, 0, sizeof(Instr->RangeHeader));
 		if (FirstByte >= 0 && LastByte >= 0 && LastByte >= FirstByte) {
 			if (LastByte >= FileLength)
 				LastByte = FileLength - 1;
@ -824,8 +822,6 @@ static int CreateHTTPRangeResponseHeader(
 			   && FirstByte < FileLength) {
 			Instr->RangeOffset = FirstByte;
 			Instr->ReadSendSize = FileLength - FirstByte;
-			memset(Instr->RangeHeader, 0,
-				sizeof(Instr->RangeHeader));
 			rc = snprintf(Instr->RangeHeader,
 				sizeof(Instr->RangeHeader),
 				"CONTENT-RANGE: bytes %" PRId64
--- a/upnp/src/ssdp/ssdp_server.c
+++ b/upnp/src/ssdp/ssdp_server.c
@ -471,7 +471,6 @@ int unique_service_name(char *cmd, SsdpEvent *Evt)
 		else
 			return -1;
 		if (ptr3 != NULL) {
-			memset(Evt->UDN, 0, sizeof(Evt->UDN));
 			rc = snprintf(Evt->UDN, sizeof(Evt->UDN), "uuid:%s",
 				ptr3 + 1);
 			if (rc < 0 || (unsigned int) rc >= sizeof(Evt->UDN))
@ -484,7 +483,6 @@ int unique_service_name(char *cmd, SsdpEvent *Evt)
 			n = (size_t) (ptr3 - ptr1);
 			strncpy(TempBuf, ptr1, n);
 			TempBuf[n] = '\0';
-			memset(Evt->DeviceType, 0, sizeof(Evt->DeviceType));
 			rc = snprintf(Evt->DeviceType, sizeof(Evt->DeviceType),
 				"urn%s", TempBuf);
 			if (rc < 0 || (unsigned int) rc >= sizeof(Evt->DeviceType))