Do not clear buffer before snprintf.
It had no effect since snprintf can overwrite whole buffer.
This commit is contained in:
Yoichi NAKAYAMA
@@ -2,6 +2,12 @@
|
|||||||
Version 1.6.16
|
Version 1.6.16
|
||||||
*******************************************************************************
|
*******************************************************************************
|
||||||
|
|
||||||
|
2012-03-10 Yoichi NAKAYAMA <yoichi.nakayama(at)gmail.com>
|
||||||
|
|
||||||
|
Further measures against buffer overflows.
|
||||||
|
|
||||||
|
Do not clear buffer before snprintf.
|
||||||
|
|
||||||
2012-03-10 Yoichi NAKAYAMA <yoichi.nakayama(at)gmail.com>
|
2012-03-10 Yoichi NAKAYAMA <yoichi.nakayama(at)gmail.com>
|
||||||
|
|
||||||
Handle allocation error in strndup to avoid access violation.
|
Handle allocation error in strndup to avoid access violation.
|
||||||
|
|||||||
@@ -222,7 +222,6 @@ static int addToAction(
|
|||||||
if (ActBuff == NULL) {
|
if (ActBuff == NULL) {
|
||||||
return UPNP_E_OUTOF_MEMORY;
|
return UPNP_E_OUTOF_MEMORY;
|
||||||
}
|
}
|
||||||
memset(ActBuff, 0, HEADER_LENGTH);
|
|
||||||
|
|
||||||
if (response) {
|
if (response) {
|
||||||
rc = snprintf(ActBuff, HEADER_LENGTH,
|
rc = snprintf(ActBuff, HEADER_LENGTH,
|
||||||
@@ -301,7 +300,6 @@ static IXML_Document *makeAction(
|
|||||||
if (ActBuff == NULL) {
|
if (ActBuff == NULL) {
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
memset(ActBuff, 0, HEADER_LENGTH);
|
|
||||||
|
|
||||||
if (response) {
|
if (response) {
|
||||||
rc = snprintf(ActBuff, HEADER_LENGTH,
|
rc = snprintf(ActBuff, HEADER_LENGTH,
|
||||||
|
|||||||
@@ -294,7 +294,6 @@ static int gena_subscribe(
|
|||||||
http_parser_t response;
|
http_parser_t response;
|
||||||
int rc = 0;
|
int rc = 0;
|
||||||
|
|
||||||
memset(timeout_str, 0, sizeof(timeout_str));
|
|
||||||
UpnpString_clear(sid);
|
UpnpString_clear(sid);
|
||||||
|
|
||||||
/* request timeout to string */
|
/* request timeout to string */
|
||||||
@@ -302,6 +301,7 @@ static int gena_subscribe(
|
|||||||
timeout = &local_timeout;
|
timeout = &local_timeout;
|
||||||
}
|
}
|
||||||
if (*timeout < 0) {
|
if (*timeout < 0) {
|
||||||
|
memset(timeout_str, 0, sizeof(timeout_str));
|
||||||
strncpy(timeout_str, "infinite", sizeof(timeout_str) - 1);
|
strncpy(timeout_str, "infinite", sizeof(timeout_str) - 1);
|
||||||
} else if(*timeout < CP_MINIMUM_SUBSCRIPTION_TIME) {
|
} else if(*timeout < CP_MINIMUM_SUBSCRIPTION_TIME) {
|
||||||
rc = snprintf(timeout_str, sizeof(timeout_str),
|
rc = snprintf(timeout_str, sizeof(timeout_str),
|
||||||
|
|||||||
@@ -430,7 +430,6 @@ static char *AllocGenaHeaders(
|
|||||||
line = __LINE__;
|
line = __LINE__;
|
||||||
goto ExitFunction;
|
goto ExitFunction;
|
||||||
}
|
}
|
||||||
memset(headers, 0, headers_size);
|
|
||||||
rc = snprintf(headers, headers_size, "%s%s%"PRIzu"%s%s%s",
|
rc = snprintf(headers, headers_size, "%s%s%"PRIzu"%s%s%s",
|
||||||
HEADER_LINE_1,
|
HEADER_LINE_1,
|
||||||
HEADER_LINE_2A,
|
HEADER_LINE_2A,
|
||||||
@@ -1082,7 +1081,6 @@ static int respond_ok(
|
|||||||
int upnp_timeout = UPNP_TIMEOUT;
|
int upnp_timeout = UPNP_TIMEOUT;
|
||||||
int rc = 0;
|
int rc = 0;
|
||||||
|
|
||||||
memset( timeout_str, 0, sizeof( timeout_str ) );
|
|
||||||
http_CalcResponseVersion( request->major_version,
|
http_CalcResponseVersion( request->major_version,
|
||||||
request->minor_version, &major, &minor );
|
request->minor_version, &major, &minor );
|
||||||
|
|
||||||
@@ -1090,6 +1088,7 @@ static int respond_ok(
|
|||||||
rc = snprintf( timeout_str, sizeof ( timeout_str ),
|
rc = snprintf( timeout_str, sizeof ( timeout_str ),
|
||||||
"TIMEOUT: Second-%d", time_out );
|
"TIMEOUT: Second-%d", time_out );
|
||||||
} else {
|
} else {
|
||||||
|
memset( timeout_str, 0, sizeof( timeout_str ) );
|
||||||
strncpy( timeout_str, "TIMEOUT: Second-infinite",
|
strncpy( timeout_str, "TIMEOUT: Second-infinite",
|
||||||
sizeof ( timeout_str ) - 1);
|
sizeof ( timeout_str ) - 1);
|
||||||
}
|
}
|
||||||
@@ -1360,7 +1359,6 @@ void gena_process_subscription_request(
|
|||||||
/* generate SID */
|
/* generate SID */
|
||||||
uuid_create(&uid);
|
uuid_create(&uid);
|
||||||
uuid_unpack(&uid, temp_sid);
|
uuid_unpack(&uid, temp_sid);
|
||||||
memset(sub->sid, 0, sizeof(sub->sid));
|
|
||||||
rc = snprintf(sub->sid, sizeof(sub->sid), "uuid:%s", temp_sid);
|
rc = snprintf(sub->sid, sizeof(sub->sid), "uuid:%s", temp_sid);
|
||||||
|
|
||||||
/* respond OK */
|
/* respond OK */
|
||||||
|
|||||||
@@ -323,7 +323,6 @@ static UPNP_INLINE int get_content_type(
|
|||||||
temp = malloc(length);
|
temp = malloc(length);
|
||||||
if (!temp)
|
if (!temp)
|
||||||
return UPNP_E_OUTOF_MEMORY;
|
return UPNP_E_OUTOF_MEMORY;
|
||||||
memset(temp, 0, length);
|
|
||||||
rc = snprintf(temp, length, "%s/%s", type, subtype);
|
rc = snprintf(temp, length, "%s/%s", type, subtype);
|
||||||
if (rc < 0 || (unsigned int) rc >= length) {
|
if (rc < 0 || (unsigned int) rc >= length) {
|
||||||
free(temp);
|
free(temp);
|
||||||
@@ -802,7 +801,6 @@ static int CreateHTTPRangeResponseHeader(
|
|||||||
free(RangeInput);
|
free(RangeInput);
|
||||||
return HTTP_REQUEST_RANGE_NOT_SATISFIABLE;
|
return HTTP_REQUEST_RANGE_NOT_SATISFIABLE;
|
||||||
}
|
}
|
||||||
memset(Instr->RangeHeader, 0, sizeof(Instr->RangeHeader));
|
|
||||||
if (FirstByte >= 0 && LastByte >= 0 && LastByte >= FirstByte) {
|
if (FirstByte >= 0 && LastByte >= 0 && LastByte >= FirstByte) {
|
||||||
if (LastByte >= FileLength)
|
if (LastByte >= FileLength)
|
||||||
LastByte = FileLength - 1;
|
LastByte = FileLength - 1;
|
||||||
@@ -824,8 +822,6 @@ static int CreateHTTPRangeResponseHeader(
|
|||||||
&& FirstByte < FileLength) {
|
&& FirstByte < FileLength) {
|
||||||
Instr->RangeOffset = FirstByte;
|
Instr->RangeOffset = FirstByte;
|
||||||
Instr->ReadSendSize = FileLength - FirstByte;
|
Instr->ReadSendSize = FileLength - FirstByte;
|
||||||
memset(Instr->RangeHeader, 0,
|
|
||||||
sizeof(Instr->RangeHeader));
|
|
||||||
rc = snprintf(Instr->RangeHeader,
|
rc = snprintf(Instr->RangeHeader,
|
||||||
sizeof(Instr->RangeHeader),
|
sizeof(Instr->RangeHeader),
|
||||||
"CONTENT-RANGE: bytes %" PRId64
|
"CONTENT-RANGE: bytes %" PRId64
|
||||||
|
|||||||
@@ -471,7 +471,6 @@ int unique_service_name(char *cmd, SsdpEvent *Evt)
|
|||||||
else
|
else
|
||||||
return -1;
|
return -1;
|
||||||
if (ptr3 != NULL) {
|
if (ptr3 != NULL) {
|
||||||
memset(Evt->UDN, 0, sizeof(Evt->UDN));
|
|
||||||
rc = snprintf(Evt->UDN, sizeof(Evt->UDN), "uuid:%s",
|
rc = snprintf(Evt->UDN, sizeof(Evt->UDN), "uuid:%s",
|
||||||
ptr3 + 1);
|
ptr3 + 1);
|
||||||
if (rc < 0 || (unsigned int) rc >= sizeof(Evt->UDN))
|
if (rc < 0 || (unsigned int) rc >= sizeof(Evt->UDN))
|
||||||
@@ -484,7 +483,6 @@ int unique_service_name(char *cmd, SsdpEvent *Evt)
|
|||||||
n = (size_t) (ptr3 - ptr1);
|
n = (size_t) (ptr3 - ptr1);
|
||||||
strncpy(TempBuf, ptr1, n);
|
strncpy(TempBuf, ptr1, n);
|
||||||
TempBuf[n] = '\0';
|
TempBuf[n] = '\0';
|
||||||
memset(Evt->DeviceType, 0, sizeof(Evt->DeviceType));
|
|
||||||
rc = snprintf(Evt->DeviceType, sizeof(Evt->DeviceType),
|
rc = snprintf(Evt->DeviceType, sizeof(Evt->DeviceType),
|
||||||
"urn%s", TempBuf);
|
"urn%s", TempBuf);
|
||||||
if (rc < 0 || (unsigned int) rc >= sizeof(Evt->DeviceType))
|
if (rc < 0 || (unsigned int) rc >= sizeof(Evt->DeviceType))
|
||||||
|
|||||||
Reference in New Issue
Block a user