generic-library/libupnp
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

SF Bug Tracker id 3497714 - Buffer overflows

Browse Source 
Submitted: Fabrice Fontaine ( ffontaine ) - 2012-03-06 07:36:08 PST

Call to strcpy should be replaced by call to memset and strncpy to
avoid getting buffer overflows.
This commit is contained in:
Fabrice Fontaine
2012-03-06 12:48:06 +01:00
parent 3e7bf14488
commit c13b1f7e37
6 changed files with 106 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
upnp/src/gena/gena_ctrlpt.c
View File

@@ -155,6 +155,7 @@ static int ScheduleGenaAutoRenew(
return_code = UPNP_E_OUTOF_MEMORY;
goto end_function;
}
memset(RenewEventStruct, 0, sizeof(struct Upnp_Event_Subscribe));
RenewEvent = (upnp_timeout *) malloc(sizeof(upnp_timeout));
if (RenewEvent == NULL) {
@@ -162,11 +163,13 @@ static int ScheduleGenaAutoRenew(
return_code = UPNP_E_OUTOF_MEMORY;
goto end_function;
}
memset(RenewEvent, 0, sizeof(upnp_timeout));
/* schedule expire event */
RenewEventStruct->ErrCode = UPNP_E_SUCCESS;
RenewEventStruct->TimeOut = TimeOut;
strcpy(RenewEventStruct->Sid, UpnpString_get_String(tmpSID));
strncpy(RenewEventStruct->Sid, UpnpString_get_String(tmpSID),
sizeof(RenewEventStruct->Sid) - 1);
strncpy(RenewEventStruct->PublisherUrl,
UpnpString_get_String(tmpEventURL), NAME_SIZE - 1);
@@ -791,7 +794,9 @@ void gena_process_notification_event(
/* fill event struct */
tmpSID = UpnpClientSubscription_get_SID(subscription);
strcpy(event_struct.Sid, UpnpString_get_String(tmpSID));
memset(event_struct.Sid, 0, sizeof(event_struct.Sid));
strncpy(event_struct.Sid, UpnpString_get_String(tmpSID),
sizeof(event_struct.Sid) - 1);
event_struct.EventKey = eventKey;
event_struct.ChangedVariables = ChangedVars;