generic-library/libupnp
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

SF Bug Tracker id 3497714 - Buffer overflows

Browse Source 
Submitted: Fabrice Fontaine ( ffontaine ) - 2012-03-06 07:36:08 PST

Call to strcpy should be replaced by call to memset and strncpy to
avoid getting buffer overflows.
This commit is contained in:
Fabrice Fontaine 2012-03-06 12:48:06 +01:00
parent 3e7bf14488
commit c13b1f7e37
6 changed files with 106 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
ChangeLog
View File

@ -2,6 +2,15 @@
Version 1.6.16 Version 1.6.16
******************************************************************************* *******************************************************************************
2012-03-06 Fabrice Fontaine <fabrice.fontaine(at)orange.com>
SF Bug Tracker id 3497714 - Buffer overflows
Submitted: Fabrice Fontaine ( ffontaine ) - 2012-03-06 07:36:08 PST
Call to strcpy should be replaced by call to memset and strncpy to
avoid getting buffer overflows.
2012-03-05 Marcelo Roberto Jimenez <mroberto(at)users.sourceforge.net> 2012-03-05 Marcelo Roberto Jimenez <mroberto(at)users.sourceforge.net>
SF Bug Tracker id 2989399 - UpnpSetVirtualDirCallbacks API removal in 1.6.x SF Bug Tracker id 2989399 - UpnpSetVirtualDirCallbacks API removal in 1.6.x

70
upnp/src/api/upnpapi.c
View File

@ -784,6 +784,7 @@ int UpnpRegisterRootDevice(
retVal = UPNP_E_OUTOF_MEMORY; retVal = UPNP_E_OUTOF_MEMORY;
goto exit_function; goto exit_function;
} }
memset(HInfo, 0, sizeof(struct Handle_Info));
HandleTable[*Hnd] = HInfo; HandleTable[*Hnd] = HInfo;
UpnpPrintf(UPNP_ALL, API, __FILE__, __LINE__, UpnpPrintf(UPNP_ALL, API, __FILE__, __LINE__,
@ -791,8 +792,8 @@ int UpnpRegisterRootDevice(
HInfo->aliasInstalled = 0; HInfo->aliasInstalled = 0;
HInfo->HType = HND_DEVICE; HInfo->HType = HND_DEVICE;
strcpy(HInfo->DescURL, DescUrl); strncpy(HInfo->DescURL, DescUrl, sizeof(HInfo->DescURL) - 1);
strcpy(HInfo->LowerDescURL, DescUrl); strncpy(HInfo->LowerDescURL, DescUrl, sizeof(HInfo->LowerDescURL) - 1);
UpnpPrintf(UPNP_ALL, API, __FILE__, __LINE__, UpnpPrintf(UPNP_ALL, API, __FILE__, __LINE__,
"Following Root Device URL will be used when answering to legacy CPs %s\n", "Following Root Device URL will be used when answering to legacy CPs %s\n",
HInfo->LowerDescURL); HInfo->LowerDescURL);
@ -945,6 +946,7 @@ int UpnpRegisterRootDevice2(
retVal = UPNP_E_OUTOF_MEMORY; retVal = UPNP_E_OUTOF_MEMORY;
goto exit_function; goto exit_function;
} }
memset(HInfo, 0, sizeof(struct Handle_Info));
HandleTable[*Hnd] = HInfo; HandleTable[*Hnd] = HInfo;
/* prevent accidental removal of a non-existent alias */ /* prevent accidental removal of a non-existent alias */
@ -959,7 +961,8 @@ int UpnpRegisterRootDevice2(
goto exit_function; goto exit_function;
} }
strcpy(HInfo->LowerDescURL, HInfo->DescURL); strncpy(HInfo->LowerDescURL, HInfo->DescURL,
sizeof(HInfo->LowerDescURL) - 1);
UpnpPrintf(UPNP_ALL, API, __FILE__, __LINE__, UpnpPrintf(UPNP_ALL, API, __FILE__, __LINE__,
"Following Root Device URL will be used when answering to legacy CPs %s\n", "Following Root Device URL will be used when answering to legacy CPs %s\n",
HInfo->LowerDescURL); HInfo->LowerDescURL);
@ -1110,16 +1113,19 @@ int UpnpRegisterRootDevice4(
retVal = UPNP_E_OUTOF_MEMORY; retVal = UPNP_E_OUTOF_MEMORY;
goto exit_function; goto exit_function;
} }
memset(HInfo, 0, sizeof(struct Handle_Info));
HandleTable[*Hnd] = HInfo; HandleTable[*Hnd] = HInfo;
UpnpPrintf(UPNP_ALL, API, __FILE__, __LINE__, UpnpPrintf(UPNP_ALL, API, __FILE__, __LINE__,
"Root device URL is %s\n", DescUrl); "Root device URL is %s\n", DescUrl);
HInfo->aliasInstalled = 0; HInfo->aliasInstalled = 0;
HInfo->HType = HND_DEVICE; HInfo->HType = HND_DEVICE;
strcpy(HInfo->DescURL, DescUrl); strncpy(HInfo->DescURL, DescUrl, sizeof(HInfo->DescURL) - 1);
if (LowerDescUrl == NULL) if (LowerDescUrl == NULL)
strcpy(HInfo->LowerDescURL, DescUrl); strncpy(HInfo->LowerDescURL, DescUrl,
sizeof(HInfo->LowerDescURL) - 1);
else else
strcpy(HInfo->LowerDescURL, LowerDescUrl); strncpy(HInfo->LowerDescURL, LowerDescUrl,
sizeof(HInfo->LowerDescURL) - 1);
UpnpPrintf(UPNP_ALL, API, __FILE__, __LINE__, UpnpPrintf(UPNP_ALL, API, __FILE__, __LINE__,
"Following Root Device URL will be used when answering to legacy CPs %s\n", "Following Root Device URL will be used when answering to legacy CPs %s\n",
HInfo->LowerDescURL); HInfo->LowerDescURL);
@ -1871,10 +1877,11 @@ int UpnpSubscribeAsync(
if( Param == NULL ) { if( Param == NULL ) {
return UPNP_E_OUTOF_MEMORY; return UPNP_E_OUTOF_MEMORY;
} }
memset( Param, 0, sizeof( struct UpnpNonblockParam ) );
Param->FunName = SUBSCRIBE; Param->FunName = SUBSCRIBE;
Param->Handle = Hnd; Param->Handle = Hnd;
strcpy( Param->Url, EvtUrl ); strncpy( Param->Url, EvtUrl, sizeof( Param->Url ) - 1 );
Param->TimeOut = TimeOut; Param->TimeOut = TimeOut;
Param->Fun = Fun; Param->Fun = Fun;
Param->Cookie = (void *)Cookie_const; Param->Cookie = (void *)Cookie_const;
@ -2048,10 +2055,11 @@ int UpnpUnSubscribeAsync(
retVal = UPNP_E_OUTOF_MEMORY; retVal = UPNP_E_OUTOF_MEMORY;
goto exit_function; goto exit_function;
} }
memset( Param, 0, sizeof( struct UpnpNonblockParam ) );
Param->FunName = UNSUBSCRIBE; Param->FunName = UNSUBSCRIBE;
Param->Handle = Hnd; Param->Handle = Hnd;
strcpy( Param->SubsId, SubsId ); strncpy( Param->SubsId, SubsId, sizeof( Param->SubsId ) - 1 );
Param->Fun = Fun; Param->Fun = Fun;
Param->Cookie = (void *)Cookie_const; Param->Cookie = (void *)Cookie_const;
TPJobInit( &job, ( start_routine ) UpnpThreadDistribution, Param ); TPJobInit( &job, ( start_routine ) UpnpThreadDistribution, Param );
@ -2164,10 +2172,11 @@ int UpnpRenewSubscriptionAsync(
if( Param == NULL ) { if( Param == NULL ) {
return UPNP_E_OUTOF_MEMORY; return UPNP_E_OUTOF_MEMORY;
} }
memset(Param, 0, sizeof( struct UpnpNonblockParam ) );
Param->FunName = RENEW; Param->FunName = RENEW;
Param->Handle = Hnd; Param->Handle = Hnd;
strcpy( Param->SubsId, SubsId ); strncpy( Param->SubsId, SubsId, sizeof( Param->SubsId ) - 1 );
Param->Fun = Fun; Param->Fun = Fun;
Param->Cookie = ( void * )Cookie_const; Param->Cookie = ( void * )Cookie_const;
Param->TimeOut = TimeOut; Param->TimeOut = TimeOut;
@ -2599,11 +2608,13 @@ int UpnpSendActionAsync(
if( Param == NULL ) { if( Param == NULL ) {
return UPNP_E_OUTOF_MEMORY; return UPNP_E_OUTOF_MEMORY;
} }
memset( Param, 0, sizeof( struct UpnpNonblockParam ) );
Param->FunName = ACTION; Param->FunName = ACTION;
Param->Handle = Hnd; Param->Handle = Hnd;
strcpy( Param->Url, ActionURL ); strncpy( Param->Url, ActionURL, sizeof ( Param->Url ) - 1 );
strcpy( Param->ServiceType, ServiceType ); strncpy( Param->ServiceType, ServiceType,
sizeof ( Param->ServiceType ) - 1 );
rc = ixmlParseBufferEx( tmpStr, &( Param->Act ) ); rc = ixmlParseBufferEx( tmpStr, &( Param->Act ) );
if( rc != IXML_SUCCESS ) { if( rc != IXML_SUCCESS ) {
@ -2694,11 +2705,13 @@ int UpnpSendActionExAsync(
if( Param == NULL ) { if( Param == NULL ) {
return UPNP_E_OUTOF_MEMORY; return UPNP_E_OUTOF_MEMORY;
} }
memset( Param, 0, sizeof( struct UpnpNonblockParam ) );
Param->FunName = ACTION; Param->FunName = ACTION;
Param->Handle = Hnd; Param->Handle = Hnd;
strcpy( Param->Url, ActionURL ); strncpy( Param->Url, ActionURL, sizeof( Param->Url ) - 1 );
strcpy( Param->ServiceType, ServiceType ); strncpy( Param->ServiceType, ServiceType,
sizeof ( Param->ServiceType ) - 1 );
retVal = ixmlParseBufferEx( headerStr, &( Param->Header ) ); retVal = ixmlParseBufferEx( headerStr, &( Param->Header ) );
if( retVal != IXML_SUCCESS ) { if( retVal != IXML_SUCCESS ) {
ixmlFreeDOMString( tmpStr ); ixmlFreeDOMString( tmpStr );
@ -2783,11 +2796,12 @@ int UpnpGetServiceVarStatusAsync(
if( Param == NULL ) { if( Param == NULL ) {
return UPNP_E_OUTOF_MEMORY; return UPNP_E_OUTOF_MEMORY;
} }
memset( Param, 0, sizeof( struct UpnpNonblockParam ) );
Param->FunName = STATUS; Param->FunName = STATUS;
Param->Handle = Hnd; Param->Handle = Hnd;
strcpy( Param->Url, ActionURL ); strncpy( Param->Url, ActionURL, sizeof( Param->Url ) - 1);
strcpy( Param->VarName, VarName ); strncpy( Param->VarName, VarName, sizeof( Param->VarName ) - 1 );
Param->Fun = Fun; Param->Fun = Fun;
Param->Cookie = ( void * )Cookie_const; Param->Cookie = ( void * )Cookie_const;
@ -3434,6 +3448,7 @@ void UpnpThreadDistribution(struct UpnpNonblockParam *Param)
#if EXCLUDE_GENA == 0 #if EXCLUDE_GENA == 0
case SUBSCRIBE: { case SUBSCRIBE: {
struct Upnp_Event_Subscribe Evt; struct Upnp_Event_Subscribe Evt;
memset(&Evt, 0, sizeof(Evt));
/* Cast away constness */ /* Cast away constness */
/*UpnpString *Sid = (UpnpString *)UpnpEventSubscribe_get_SID(evt);*/ /*UpnpString *Sid = (UpnpString *)UpnpEventSubscribe_get_SID(evt);*/
UpnpString *Sid = UpnpString_new(); UpnpString *Sid = UpnpString_new();
@ -3444,9 +3459,11 @@ void UpnpThreadDistribution(struct UpnpNonblockParam *Param)
Url, Url,
(int *)&Param->TimeOut, (int *)&Param->TimeOut,
Sid); Sid);
strcpy(Evt.PublisherUrl, Param->Url); strncpy(Evt.PublisherUrl, Param->Url,
sizeof(Evt.PublisherUrl) - 1);
Evt.TimeOut = Param->TimeOut; Evt.TimeOut = Param->TimeOut;
strcpy((char *)Evt.Sid, UpnpString_get_String(Sid)); strncpy((char *)Evt.Sid, UpnpString_get_String(Sid),
sizeof((char *)Evt.Sid) - 1);
Param->Fun(UPNP_EVENT_SUBSCRIBE_COMPLETE, &Evt, Param->Cookie); Param->Fun(UPNP_EVENT_SUBSCRIBE_COMPLETE, &Evt, Param->Cookie);
UpnpString_delete(Sid); UpnpString_delete(Sid);
UpnpString_delete(Url); UpnpString_delete(Url);
@ -3455,13 +3472,15 @@ void UpnpThreadDistribution(struct UpnpNonblockParam *Param)
} }
case UNSUBSCRIBE: { case UNSUBSCRIBE: {
struct Upnp_Event_Subscribe Evt; struct Upnp_Event_Subscribe Evt;
memset(&Evt, 0, sizeof(Evt));
UpnpString *Sid = UpnpString_new(); UpnpString *Sid = UpnpString_new();
UpnpString_set_String(Sid, Param->SubsId); UpnpString_set_String(Sid, Param->SubsId);
Evt.ErrCode = genaUnSubscribe( Evt.ErrCode = genaUnSubscribe(
Param->Handle, Param->Handle,
Sid); Sid);
strcpy((char *)Evt.Sid, UpnpString_get_String(Sid)); strncpy((char *)Evt.Sid, UpnpString_get_String(Sid),
strcpy(Evt.PublisherUrl, ""); sizeof((char *)Evt.Sid) - 1);
strncpy(Evt.PublisherUrl, "", sizeof(Evt.PublisherUrl) - 1);
Evt.TimeOut = 0; Evt.TimeOut = 0;
Param->Fun(UPNP_EVENT_UNSUBSCRIBE_COMPLETE, &Evt, Param->Cookie); Param->Fun(UPNP_EVENT_UNSUBSCRIBE_COMPLETE, &Evt, Param->Cookie);
UpnpString_delete(Sid); UpnpString_delete(Sid);
@ -3470,6 +3489,7 @@ void UpnpThreadDistribution(struct UpnpNonblockParam *Param)
} }
case RENEW: { case RENEW: {
struct Upnp_Event_Subscribe Evt; struct Upnp_Event_Subscribe Evt;
memset(&Evt, 0, sizeof(Evt));
UpnpString *Sid = UpnpString_new(); UpnpString *Sid = UpnpString_new();
UpnpString_set_String(Sid, Param->SubsId); UpnpString_set_String(Sid, Param->SubsId);
Evt.ErrCode = genaRenewSubscription( Evt.ErrCode = genaRenewSubscription(
@ -3477,7 +3497,8 @@ void UpnpThreadDistribution(struct UpnpNonblockParam *Param)
Sid, Sid,
&Param->TimeOut); &Param->TimeOut);
Evt.TimeOut = Param->TimeOut; Evt.TimeOut = Param->TimeOut;
strcpy((char *)Evt.Sid, UpnpString_get_String(Sid)); strncpy((char *)Evt.Sid, UpnpString_get_String(Sid),
sizeof((char *)Evt.Sid) - 1);
Param->Fun(UPNP_EVENT_RENEWAL_COMPLETE, &Evt, Param->Cookie); Param->Fun(UPNP_EVENT_RENEWAL_COMPLETE, &Evt, Param->Cookie);
UpnpString_delete(Sid); UpnpString_delete(Sid);
free(Param); free(Param);
@ -3487,13 +3508,14 @@ void UpnpThreadDistribution(struct UpnpNonblockParam *Param)
#if EXCLUDE_SOAP == 0 #if EXCLUDE_SOAP == 0
case ACTION: { case ACTION: {
struct Upnp_Action_Complete Evt; struct Upnp_Action_Complete Evt;
memset(&Evt, 0, sizeof(Evt));
Evt.ActionResult = NULL; Evt.ActionResult = NULL;
Evt.ErrCode = SoapSendAction( Evt.ErrCode = SoapSendAction(
Param->Url, Param->Url,
Param->ServiceType, Param->ServiceType,
Param->Act, &Evt.ActionResult); Param->Act, &Evt.ActionResult);
Evt.ActionRequest = Param->Act; Evt.ActionRequest = Param->Act;
strcpy(Evt.CtrlUrl, Param->Url); strncpy(Evt.CtrlUrl, Param->Url, sizeof(Evt.CtrlUrl) - 1);
Param->Fun(UPNP_CONTROL_ACTION_COMPLETE, &Evt, Param->Cookie); Param->Fun(UPNP_CONTROL_ACTION_COMPLETE, &Evt, Param->Cookie);
ixmlDocument_free(Evt.ActionRequest); ixmlDocument_free(Evt.ActionRequest);
ixmlDocument_free(Evt.ActionResult); ixmlDocument_free(Evt.ActionResult);
@ -3502,12 +3524,14 @@ void UpnpThreadDistribution(struct UpnpNonblockParam *Param)
} }
case STATUS: { case STATUS: {
struct Upnp_State_Var_Complete Evt; struct Upnp_State_Var_Complete Evt;
memset(&Evt, 0, sizeof(Evt));
Evt.ErrCode = SoapGetServiceVarStatus( Evt.ErrCode = SoapGetServiceVarStatus(
Param->Url, Param->Url,
Param->VarName, Param->VarName,
&Evt.CurrentVal); &Evt.CurrentVal);
strcpy(Evt.StateVarName, Param->VarName); strncpy(Evt.StateVarName, Param->VarName,
strcpy(Evt.CtrlUrl, Param->Url); sizeof(Evt.StateVarName) - 1);
strncpy(Evt.CtrlUrl, Param->Url, sizeof(Evt.CtrlUrl) - 1);
Param->Fun(UPNP_CONTROL_GET_VAR_COMPLETE, &Evt, Param->Cookie); Param->Fun(UPNP_CONTROL_GET_VAR_COMPLETE, &Evt, Param->Cookie);
free(Evt.CurrentVal); free(Evt.CurrentVal);
free(Param); free(Param);

9
upnp/src/gena/gena_ctrlpt.c
View File

@ -155,6 +155,7 @@ static int ScheduleGenaAutoRenew(
return_code = UPNP_E_OUTOF_MEMORY; return_code = UPNP_E_OUTOF_MEMORY;
goto end_function; goto end_function;
} }
memset(RenewEventStruct, 0, sizeof(struct Upnp_Event_Subscribe));
RenewEvent = (upnp_timeout *) malloc(sizeof(upnp_timeout)); RenewEvent = (upnp_timeout *) malloc(sizeof(upnp_timeout));
if (RenewEvent == NULL) { if (RenewEvent == NULL) {
@ -162,11 +163,13 @@ static int ScheduleGenaAutoRenew(
return_code = UPNP_E_OUTOF_MEMORY; return_code = UPNP_E_OUTOF_MEMORY;
goto end_function; goto end_function;
} }
memset(RenewEvent, 0, sizeof(upnp_timeout));
/* schedule expire event */ /* schedule expire event */
RenewEventStruct->ErrCode = UPNP_E_SUCCESS; RenewEventStruct->ErrCode = UPNP_E_SUCCESS;
RenewEventStruct->TimeOut = TimeOut; RenewEventStruct->TimeOut = TimeOut;
strcpy(RenewEventStruct->Sid, UpnpString_get_String(tmpSID)); strncpy(RenewEventStruct->Sid, UpnpString_get_String(tmpSID),
sizeof(RenewEventStruct->Sid) - 1);
strncpy(RenewEventStruct->PublisherUrl, strncpy(RenewEventStruct->PublisherUrl,
UpnpString_get_String(tmpEventURL), NAME_SIZE - 1); UpnpString_get_String(tmpEventURL), NAME_SIZE - 1);
@ -791,7 +794,9 @@ void gena_process_notification_event(
/* fill event struct */ /* fill event struct */
tmpSID = UpnpClientSubscription_get_SID(subscription); tmpSID = UpnpClientSubscription_get_SID(subscription);
strcpy(event_struct.Sid, UpnpString_get_String(tmpSID)); memset(event_struct.Sid, 0, sizeof(event_struct.Sid));
strncpy(event_struct.Sid, UpnpString_get_String(tmpSID),
sizeof(event_struct.Sid) - 1);
event_struct.EventKey = eventKey; event_struct.EventKey = eventKey;
event_struct.ChangedVariables = ChangedVars; event_struct.ChangedVariables = ChangedVars;

23
upnp/src/gena/gena_device.c
View File

@ -558,7 +558,9 @@ int genaInitNotify(
thread_struct->UDN = UDN_copy; thread_struct->UDN = UDN_copy;
thread_struct->headers = headers; thread_struct->headers = headers;
thread_struct->propertySet = propertySet; thread_struct->propertySet = propertySet;
strcpy(thread_struct->sid, sid); memset(thread_struct->sid, 0, sizeof(thread_struct->sid));
strncpy(thread_struct->sid, sid,
sizeof(thread_struct->sid) - 1);
thread_struct->eventKey = sub->eventKey++; thread_struct->eventKey = sub->eventKey++;
thread_struct->reference_count = reference_count; thread_struct->reference_count = reference_count;
thread_struct->device_handle = device_handle; thread_struct->device_handle = device_handle;
@ -714,7 +716,9 @@ int genaInitNotifyExt(
thread_struct->UDN = UDN_copy; thread_struct->UDN = UDN_copy;
thread_struct->headers = headers; thread_struct->headers = headers;
thread_struct->propertySet = propertySet; thread_struct->propertySet = propertySet;
strcpy(thread_struct->sid, sid); memset(thread_struct->sid, 0, sizeof(thread_struct->sid));
strncpy(thread_struct->sid, sid,
sizeof(thread_struct->sid) - 1);
thread_struct->eventKey = sub->eventKey++; thread_struct->eventKey = sub->eventKey++;
thread_struct->reference_count = reference_count; thread_struct->reference_count = reference_count;
thread_struct->device_handle = device_handle; thread_struct->device_handle = device_handle;
@ -846,7 +850,10 @@ int genaNotifyAllExt(
thread_struct->servId = servId_copy; thread_struct->servId = servId_copy;
thread_struct->headers = headers; thread_struct->headers = headers;
thread_struct->propertySet = propertySet; thread_struct->propertySet = propertySet;
strcpy(thread_struct->sid, finger->sid); memset(thread_struct->sid, 0,
sizeof(thread_struct->sid));
strncpy(thread_struct->sid, finger->sid,
sizeof(thread_struct->sid) - 1);
thread_struct->eventKey = finger->eventKey++; thread_struct->eventKey = finger->eventKey++;
thread_struct->device_handle = device_handle; thread_struct->device_handle = device_handle;
/* if overflow, wrap to 1 */ /* if overflow, wrap to 1 */
@ -986,7 +993,10 @@ int genaNotifyAll(
thread_struct->servId = servId_copy; thread_struct->servId = servId_copy;
thread_struct->headers = headers; thread_struct->headers = headers;
thread_struct->propertySet = propertySet; thread_struct->propertySet = propertySet;
strcpy(thread_struct->sid, finger->sid); memset(thread_struct->sid, 0,
sizeof(thread_struct->sid));
strncpy(thread_struct->sid, finger->sid,
sizeof(thread_struct->sid) - 1);
thread_struct->eventKey = finger->eventKey++; thread_struct->eventKey = finger->eventKey++;
thread_struct->device_handle = device_handle; thread_struct->device_handle = device_handle;
/* if overflow, wrap to 1 */ /* if overflow, wrap to 1 */
@ -1196,6 +1206,8 @@ void gena_process_subscription_request(
memptr callback_hdr; memptr callback_hdr;
memptr timeout_hdr; memptr timeout_hdr;
memset(&request_struct, 0, sizeof(request_struct));
UpnpPrintf(UPNP_INFO, GENA, __FILE__, __LINE__, UpnpPrintf(UPNP_INFO, GENA, __FILE__, __LINE__,
"Subscription Request Received:\n"); "Subscription Request Received:\n");
@ -1341,7 +1353,8 @@ void gena_process_subscription_request(
/* finally generate callback for init table dump */ /* finally generate callback for init table dump */
request_struct.ServiceId = service->serviceId; request_struct.ServiceId = service->serviceId;
request_struct.UDN = service->UDN; request_struct.UDN = service->UDN;
strcpy((char *)request_struct.Sid, sub->sid); strncpy((char *)request_struct.Sid, sub->sid,
sizeof(request_struct.Sid) - 1);
/* copy callback */ /* copy callback */
callback_fun = handle_info->Callback; callback_fun = handle_info->Callback;

14
upnp/src/ssdp/ssdp_ctrlpt.c
View File

@ -149,9 +149,9 @@ void ssdp_handle_ctrlpt_msg(http_message_t *hmsg, struct sockaddr_storage *dest_
linecopylen(param.Os, hdr_value.buf, hdr_value.length); linecopylen(param.Os, hdr_value.buf, hdr_value.length);
} }
/* clear everything */ /* clear everything */
param.DeviceId[0] = '\0'; memset(param.DeviceId, 0, sizeof(param.DeviceId));
param.DeviceType[0] = '\0'; memset(param.DeviceType, 0, sizeof(param.DeviceType));
param.ServiceType[0] = '\0'; memset(param.ServiceType, 0, sizeof(param.ServiceType));
/* not used; version is in ServiceType */ /* not used; version is in ServiceType */
param.ServiceVer[0] = '\0'; param.ServiceVer[0] = '\0';
event.UDN[0] = '\0'; event.UDN[0] = '\0';
@ -172,9 +172,11 @@ void ssdp_handle_ctrlpt_msg(http_message_t *hmsg, struct sockaddr_storage *dest_
hdr_value.buf[hdr_value.length] = save_char; hdr_value.buf[hdr_value.length] = save_char;
} }
if (nt_found || usn_found) { if (nt_found || usn_found) {
strcpy(param.DeviceId, event.UDN); strncpy(param.DeviceId, event.UDN, sizeof(param.DeviceId) - 1);
strcpy(param.DeviceType, event.DeviceType); strncpy(param.DeviceType, event.DeviceType,
strcpy(param.ServiceType, event.ServiceType); sizeof(param.DeviceType) - 1);
strncpy(param.ServiceType, event.ServiceType,
sizeof(param.ServiceType) - 1);
} }
/* ADVERT. OR BYEBYE */ /* ADVERT. OR BYEBYE */
if (hmsg->is_request) { if (hmsg->is_request) {

24
upnp/src/ssdp/ssdp_server.c
View File

@ -110,6 +110,10 @@ int AdvertiseAndReply(int AdFlag, UpnpDevice_Handle Hnd,
const DOMString dbgStr; const DOMString dbgStr;
int NumCopy = 0; int NumCopy = 0;
memset(UDNstr, 0, sizeof(UDNstr));
memset(devType, 0, sizeof(devType));
memset(servType, 0, sizeof(servType));
UpnpPrintf(UPNP_ALL, API, __FILE__, __LINE__, UpnpPrintf(UPNP_ALL, API, __FILE__, __LINE__,
"Inside AdvertiseAndReply with AdFlag = %d\n", AdFlag); "Inside AdvertiseAndReply with AdFlag = %d\n", AdFlag);
@ -162,7 +166,7 @@ int AdvertiseAndReply(int AdFlag, UpnpDevice_Handle Hnd,
tmpStr = ixmlNode_getNodeValue(textNode); tmpStr = ixmlNode_getNodeValue(textNode);
if (!tmpStr) if (!tmpStr)
continue; continue;
strcpy(devType, tmpStr); strncpy(devType, tmpStr, sizeof(devType) - 1);
UpnpPrintf(UPNP_ALL, API, __FILE__, __LINE__, UpnpPrintf(UPNP_ALL, API, __FILE__, __LINE__,
"Extracting device type = %s\n", devType); "Extracting device type = %s\n", devType);
if (!tmpNode) { if (!tmpNode) {
@ -197,7 +201,7 @@ int AdvertiseAndReply(int AdFlag, UpnpDevice_Handle Hnd,
__LINE__, "UDN not found!\n"); __LINE__, "UDN not found!\n");
continue; continue;
} }
strcpy(UDNstr, tmpStr); strncpy(UDNstr, tmpStr, sizeof(UDNstr) - 1);
UpnpPrintf(UPNP_INFO, API, __FILE__, __LINE__, UpnpPrintf(UPNP_INFO, API, __FILE__, __LINE__,
"Sending UDNStr = %s \n", UDNstr); "Sending UDNStr = %s \n", UDNstr);
if (AdFlag) { if (AdFlag) {
@ -351,7 +355,7 @@ int AdvertiseAndReply(int AdFlag, UpnpDevice_Handle Hnd,
tmpStr = ixmlNode_getNodeValue(textNode); tmpStr = ixmlNode_getNodeValue(textNode);
if (!tmpStr) if (!tmpStr)
continue; continue;
strcpy(servType, tmpStr); strncpy(servType, tmpStr, sizeof(servType) - 1);
UpnpPrintf(UPNP_INFO, API, __FILE__, __LINE__, UpnpPrintf(UPNP_INFO, API, __FILE__, __LINE__,
"ServiceType = %s\n", servType); "ServiceType = %s\n", servType);
if (AdFlag) { if (AdFlag) {
@ -483,19 +487,25 @@ int unique_service_name(char *cmd, SsdpEvent *Evt)
n = (size_t) (Ptr - TempPtr); n = (size_t) (Ptr - TempPtr);
strncpy(Evt->UDN, TempPtr, n); strncpy(Evt->UDN, TempPtr, n);
Evt->UDN[n] = '\0'; Evt->UDN[n] = '\0';
} else } else {
strcpy(Evt->UDN, TempPtr); memset(Evt->UDN, 0, sizeof(Evt->UDN));
strncpy(Evt->UDN, TempPtr, sizeof(Evt->UDN) - 1);
}
CommandFound = 1; CommandFound = 1;
} }
if (strstr(cmd, "urn:") != NULL && strstr(cmd, ":service:") != NULL) { if (strstr(cmd, "urn:") != NULL && strstr(cmd, ":service:") != NULL) {
if ((TempPtr = strstr(cmd, "urn")) != NULL) { if ((TempPtr = strstr(cmd, "urn")) != NULL) {
strcpy(Evt->ServiceType, TempPtr); memset(Evt->ServiceType, 0, sizeof(Evt->ServiceType));
strncpy(Evt->ServiceType, TempPtr,
sizeof(Evt->ServiceType) - 1);
CommandFound = 1; CommandFound = 1;
} }
} }
if (strstr(cmd, "urn:") != NULL && strstr(cmd, ":device:") != NULL) { if (strstr(cmd, "urn:") != NULL && strstr(cmd, ":device:") != NULL) {
if ((TempPtr = strstr(cmd, "urn")) != NULL) { if ((TempPtr = strstr(cmd, "urn")) != NULL) {
strcpy(Evt->DeviceType, TempPtr); memset(Evt->DeviceType, 0, sizeof(Evt->DeviceType));
strncpy(Evt->DeviceType, TempPtr,
sizeof(Evt->DeviceType) - 1);
CommandFound = 1; CommandFound = 1;
} }
} }