generic-library/libupnp
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

SF Bug Tracker id 3497714 - Buffer overflows

Browse Source 
Submitted: Fabrice Fontaine ( ffontaine ) - 2012-03-06 07:36:08 PST

Call to strcpy should be replaced by call to memset and strncpy to
avoid getting buffer overflows.
This commit is contained in:
Fabrice Fontaine 2012-03-06 12:48:06 +01:00 committed by Marcelo Roberto Jimenez
parent 908391ddf0
commit d6db7c555d
5 changed files with 70 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
ChangeLog
View File

@ -299,6 +299,15 @@ Version 1.8.0
Version 1.6.16
*******************************************************************************
2012-03-06 Fabrice Fontaine <fabrice.fontaine(at)orange.com>
SF Bug Tracker id 3497714 - Buffer overflows
Submitted: Fabrice Fontaine ( ffontaine ) - 2012-03-06 07:36:08 PST
Call to strcpy should be replaced by call to memset and strncpy to
avoid getting buffer overflows.
2012-03-05 Marcelo Roberto Jimenez <mroberto(at)users.sourceforge.net>
SF Bug Tracker id 2989399 - UpnpSetVirtualDirCallbacks API removal in 1.6.x

44
upnp/src/api/upnpapi.c
View File

@ -817,6 +817,7 @@ int UpnpRegisterRootDevice(
retVal = UPNP_E_OUTOF_MEMORY;
goto exit_function;
}
memset(HInfo, 0, sizeof(struct Handle_Info));
HandleTable[*Hnd] = HInfo;
UpnpPrintf(UPNP_ALL, API, __FILE__, __LINE__,
@ -824,8 +825,8 @@ int UpnpRegisterRootDevice(
HInfo->aliasInstalled = 0;
HInfo->HType = HND_DEVICE;
strcpy(HInfo->DescURL, DescUrl);
strcpy(HInfo->LowerDescURL, DescUrl);
strncpy(HInfo->DescURL, DescUrl, sizeof(HInfo->DescURL) - 1);
strncpy(HInfo->LowerDescURL, DescUrl, sizeof(HInfo->LowerDescURL) - 1);
UpnpPrintf(UPNP_ALL, API, __FILE__, __LINE__,
"Following Root Device URL will be used when answering to legacy CPs %s\n",
HInfo->LowerDescURL);
@ -978,6 +979,7 @@ int UpnpRegisterRootDevice2(
retVal = UPNP_E_OUTOF_MEMORY;
goto exit_function;
}
memset(HInfo, 0, sizeof(struct Handle_Info));
HandleTable[*Hnd] = HInfo;
/* prevent accidental removal of a non-existent alias */
@ -992,7 +994,8 @@ int UpnpRegisterRootDevice2(
goto exit_function;
}
strcpy(HInfo->LowerDescURL, HInfo->DescURL);
strncpy(HInfo->LowerDescURL, HInfo->DescURL,
sizeof(HInfo->LowerDescURL) - 1);
UpnpPrintf(UPNP_ALL, API, __FILE__, __LINE__,
"Following Root Device URL will be used when answering to legacy CPs %s\n",
HInfo->LowerDescURL);
@ -1143,16 +1146,19 @@ int UpnpRegisterRootDevice4(
retVal = UPNP_E_OUTOF_MEMORY;
goto exit_function;
}
memset(HInfo, 0, sizeof(struct Handle_Info));
HandleTable[*Hnd] = HInfo;
UpnpPrintf(UPNP_ALL, API, __FILE__, __LINE__,
"Root device URL is %s\n", DescUrl);
HInfo->aliasInstalled = 0;
HInfo->HType = HND_DEVICE;
strcpy(HInfo->DescURL, DescUrl);
strncpy(HInfo->DescURL, DescUrl, sizeof(HInfo->DescURL) - 1);
if (LowerDescUrl == NULL)
strcpy(HInfo->LowerDescURL, DescUrl);
strncpy(HInfo->LowerDescURL, DescUrl,
sizeof(HInfo->LowerDescURL) - 1);
else
strcpy(HInfo->LowerDescURL, LowerDescUrl);
strncpy(HInfo->LowerDescURL, LowerDescUrl,
sizeof(HInfo->LowerDescURL) - 1);
UpnpPrintf(UPNP_ALL, API, __FILE__, __LINE__,
"Following Root Device URL will be used when answering to legacy CPs %s\n",
HInfo->LowerDescURL);
@ -1904,10 +1910,11 @@ int UpnpSubscribeAsync(
if( Param == NULL ) {
return UPNP_E_OUTOF_MEMORY;
}
memset( Param, 0, sizeof( struct UpnpNonblockParam ) );
Param->FunName = SUBSCRIBE;
Param->Handle = Hnd;
strcpy( Param->Url, EvtUrl );
strncpy( Param->Url, EvtUrl, sizeof( Param->Url ) - 1 );
Param->TimeOut = TimeOut;
Param->Fun = Fun;
Param->Cookie = (void *)Cookie_const;
@ -2081,10 +2088,11 @@ int UpnpUnSubscribeAsync(
retVal = UPNP_E_OUTOF_MEMORY;
goto exit_function;
}
memset( Param, 0, sizeof( struct UpnpNonblockParam ) );
Param->FunName = UNSUBSCRIBE;
Param->Handle = Hnd;
strcpy( Param->SubsId, SubsId );
strncpy( Param->SubsId, SubsId, sizeof( Param->SubsId ) - 1 );
Param->Fun = Fun;
Param->Cookie = (void *)Cookie_const;
TPJobInit( &job, ( start_routine ) UpnpThreadDistribution, Param );
@ -2197,10 +2205,11 @@ int UpnpRenewSubscriptionAsync(
if( Param == NULL ) {
return UPNP_E_OUTOF_MEMORY;
}
memset(Param, 0, sizeof( struct UpnpNonblockParam ) );
Param->FunName = RENEW;
Param->Handle = Hnd;
strcpy( Param->SubsId, SubsId );
strncpy( Param->SubsId, SubsId, sizeof( Param->SubsId ) - 1 );
Param->Fun = Fun;
Param->Cookie = ( void * )Cookie_const;
Param->TimeOut = TimeOut;
@ -2632,11 +2641,13 @@ int UpnpSendActionAsync(
if( Param == NULL ) {
return UPNP_E_OUTOF_MEMORY;
}
memset( Param, 0, sizeof( struct UpnpNonblockParam ) );
Param->FunName = ACTION;
Param->Handle = Hnd;
strcpy( Param->Url, ActionURL );
strcpy( Param->ServiceType, ServiceType );
strncpy( Param->Url, ActionURL, sizeof ( Param->Url ) - 1 );
strncpy( Param->ServiceType, ServiceType,
sizeof ( Param->ServiceType ) - 1 );
rc = ixmlParseBufferEx( tmpStr, &( Param->Act ) );
if( rc != IXML_SUCCESS ) {
@ -2727,11 +2738,13 @@ int UpnpSendActionExAsync(
if( Param == NULL ) {
return UPNP_E_OUTOF_MEMORY;
}
memset( Param, 0, sizeof( struct UpnpNonblockParam ) );
Param->FunName = ACTION;
Param->Handle = Hnd;
strcpy( Param->Url, ActionURL );
strcpy( Param->ServiceType, ServiceType );
strncpy( Param->Url, ActionURL, sizeof( Param->Url ) - 1 );
strncpy( Param->ServiceType, ServiceType,
sizeof ( Param->ServiceType ) - 1 );
retVal = ixmlParseBufferEx( headerStr, &( Param->Header ) );
if( retVal != IXML_SUCCESS ) {
ixmlFreeDOMString( tmpStr );
@ -2816,11 +2829,12 @@ int UpnpGetServiceVarStatusAsync(
if( Param == NULL ) {
return UPNP_E_OUTOF_MEMORY;
}
memset( Param, 0, sizeof( struct UpnpNonblockParam ) );
Param->FunName = STATUS;
Param->Handle = Hnd;
strcpy( Param->Url, ActionURL );
strcpy( Param->VarName, VarName );
strncpy( Param->Url, ActionURL, sizeof( Param->Url ) - 1);
strncpy( Param->VarName, VarName, sizeof( Param->VarName ) - 1 );
Param->Fun = Fun;
Param->Cookie = ( void * )Cookie_const;

1
upnp/src/gena/gena_ctrlpt.c
View File

@ -158,6 +158,7 @@ static int ScheduleGenaAutoRenew(
return_code = UPNP_E_OUTOF_MEMORY;
goto end_function;
}
memset(RenewEvent, 0, sizeof(upnp_timeout));
/* schedule expire event */
UpnpEventSubscribe_set_ErrCode(RenewEventStruct, UPNP_E_SUCCESS);

18
upnp/src/gena/gena_device.c
View File

@ -558,7 +558,9 @@ int genaInitNotify(
thread_struct->UDN = UDN_copy;
thread_struct->headers = headers;
thread_struct->propertySet = propertySet;
strcpy(thread_struct->sid, sid);
memset(thread_struct->sid, 0, sizeof(thread_struct->sid));
strncpy(thread_struct->sid, sid,
sizeof(thread_struct->sid) - 1);
thread_struct->eventKey = sub->eventKey++;
thread_struct->reference_count = reference_count;
thread_struct->device_handle = device_handle;
@ -714,7 +716,9 @@ int genaInitNotifyExt(
thread_struct->UDN = UDN_copy;
thread_struct->headers = headers;
thread_struct->propertySet = propertySet;
strcpy(thread_struct->sid, sid);
memset(thread_struct->sid, 0, sizeof(thread_struct->sid));
strncpy(thread_struct->sid, sid,
sizeof(thread_struct->sid) - 1);
thread_struct->eventKey = sub->eventKey++;
thread_struct->reference_count = reference_count;
thread_struct->device_handle = device_handle;
@ -846,7 +850,10 @@ int genaNotifyAllExt(
thread_struct->servId = servId_copy;
thread_struct->headers = headers;
thread_struct->propertySet = propertySet;
strcpy(thread_struct->sid, finger->sid);
memset(thread_struct->sid, 0,
sizeof(thread_struct->sid));
strncpy(thread_struct->sid, finger->sid,
sizeof(thread_struct->sid) - 1);
thread_struct->eventKey = finger->eventKey++;
thread_struct->device_handle = device_handle;
/* if overflow, wrap to 1 */
@ -986,7 +993,10 @@ int genaNotifyAll(
thread_struct->servId = servId_copy;
thread_struct->headers = headers;
thread_struct->propertySet = propertySet;
strcpy(thread_struct->sid, finger->sid);
memset(thread_struct->sid, 0,
sizeof(thread_struct->sid));
strncpy(thread_struct->sid, finger->sid,
sizeof(thread_struct->sid) - 1);
thread_struct->eventKey = finger->eventKey++;
thread_struct->device_handle = device_handle;
/* if overflow, wrap to 1 */

24
upnp/src/ssdp/ssdp_server.c
View File

@ -110,6 +110,10 @@ int AdvertiseAndReply(int AdFlag, UpnpDevice_Handle Hnd,
const DOMString dbgStr;
int NumCopy = 0;
memset(UDNstr, 0, sizeof(UDNstr));
memset(devType, 0, sizeof(devType));
memset(servType, 0, sizeof(servType));
UpnpPrintf(UPNP_ALL, API, __FILE__, __LINE__,
"Inside AdvertiseAndReply with AdFlag = %d\n", AdFlag);
@ -162,7 +166,7 @@ int AdvertiseAndReply(int AdFlag, UpnpDevice_Handle Hnd,
tmpStr = ixmlNode_getNodeValue(textNode);
if (!tmpStr)
continue;
strcpy(devType, tmpStr);
strncpy(devType, tmpStr, sizeof(devType) - 1);
UpnpPrintf(UPNP_ALL, API, __FILE__, __LINE__,
"Extracting device type = %s\n", devType);
if (!tmpNode) {
@ -197,7 +201,7 @@ int AdvertiseAndReply(int AdFlag, UpnpDevice_Handle Hnd,
__LINE__, "UDN not found!\n");
continue;
}
strcpy(UDNstr, tmpStr);
strncpy(UDNstr, tmpStr, sizeof(UDNstr) - 1);
UpnpPrintf(UPNP_INFO, API, __FILE__, __LINE__,
"Sending UDNStr = %s \n", UDNstr);
if (AdFlag) {
@ -351,7 +355,7 @@ int AdvertiseAndReply(int AdFlag, UpnpDevice_Handle Hnd,
tmpStr = ixmlNode_getNodeValue(textNode);
if (!tmpStr)
continue;
strcpy(servType, tmpStr);
strncpy(servType, tmpStr, sizeof(servType) - 1);
UpnpPrintf(UPNP_INFO, API, __FILE__, __LINE__,
"ServiceType = %s\n", servType);
if (AdFlag) {
@ -483,19 +487,25 @@ int unique_service_name(char *cmd, SsdpEvent *Evt)
n = (size_t) (Ptr - TempPtr);
strncpy(Evt->UDN, TempPtr, n);
Evt->UDN[n] = '\0';
} else
strcpy(Evt->UDN, TempPtr);
} else {
memset(Evt->UDN, 0, sizeof(Evt->UDN));
strncpy(Evt->UDN, TempPtr, sizeof(Evt->UDN) - 1);
}
CommandFound = 1;
}
if (strstr(cmd, "urn:") != NULL && strstr(cmd, ":service:") != NULL) {
if ((TempPtr = strstr(cmd, "urn")) != NULL) {
strcpy(Evt->ServiceType, TempPtr);
memset(Evt->ServiceType, 0, sizeof(Evt->ServiceType));
strncpy(Evt->ServiceType, TempPtr,
sizeof(Evt->ServiceType) - 1);
CommandFound = 1;
}
}
if (strstr(cmd, "urn:") != NULL && strstr(cmd, ":device:") != NULL) {
if ((TempPtr = strstr(cmd, "urn")) != NULL) {
strcpy(Evt->DeviceType, TempPtr);
memset(Evt->DeviceType, 0, sizeof(Evt->DeviceType));
strncpy(Evt->DeviceType, TempPtr,
sizeof(Evt->DeviceType) - 1);
CommandFound = 1;
}
}