Handle overflow in http_SendMessage.

2012-03-11 03:33:14 +09:00 · 2012-03-11 03:33:14 +09:00 · d952ebfb44
commit d952ebfb44
parent 56b44fee91
2 changed files with 7 additions and 2 deletions
--- a/1
+++ b/1
@ -11,6 +11,7 @@ Version 1.6.16
 	* Handle SearchByTarget error in UpnpSearchAsync.
 	* Pass output buffer size to addrToString and detect overflow.
 	* Handle addrToString error in configure_urlbase. 
+	* Handle overflow in http_SendMessage.
 	* Treat large argument as error in UpnpAddVirtualDir.
 	* Do not clear buffer before snprintf.
 	* Clarify the last argument of GetDescDocumentAndURL has size LINE_SIZE.
--- a/upnp/src/genlib/net/http/httpreadwrite.c
+++ b/upnp/src/genlib/net/http/httpreadwrite.c
@ -446,15 +446,19 @@ int http_SendMessage(SOCKINFO *info, int *TimeOut, const char *fmt, ...)
 				}
 				/* Create chunk for the current buffer. */
 				if (Instr && Instr->IsChunkActive) {
+					int rc;
 					/* Copy CRLF at the end of the chunk */
 					memcpy(file_buf + num_read, "\r\n", 2);
 					/* Hex length for the chunk size. */
 					memset(Chunk_Header, 0,
 						sizeof(Chunk_Header));
-					snprintf(Chunk_Header,
+					rc = snprintf(Chunk_Header,
 						sizeof(Chunk_Header) - strlen ("\r\n"),
 						"%" PRIzx, num_read);
-					/*itoa(num_read,Chunk_Header,16);  */
+					if (rc < 0 || (unsigned int) rc >= sizeof(Chunk_Header) - strlen ("\r\n")) {
+						RetVal = UPNP_E_INTERNAL_ERROR;
+						goto Cleanup_File;
+					}
 					strncat(Chunk_Header, "\r\n", strlen ("\r\n"));
 					/* Copy the chunk size header  */
 					memcpy(file_buf - strlen(Chunk_Header),