generic-library/libupnp
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Avoid out of range access in CheckOtherHTTPHeaders.

Browse Source 
There was a problem in HDR_ACCEPT_LANGUAGE case.
It may read from TmpBuf larger amount than allocated,
since condition was always true.
Terminate RespInstr->AcceptLanguageHeader correctly.
Skip allocation if there is already sufficient buffer.
This commit is contained in:
Yoichi NAKAYAMA 2012-03-11 13:21:40 +09:00
parent 1b38cc963a
commit db532afb9b
2 changed files with 20 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
ChangeLog
View File

@ -2,6 +2,16 @@
Version 1.6.16
*******************************************************************************
2012-03-11 Yoichi NAKAYAMA <yoichi.nakayama(at)gmail.com>
Avoid out of range access in CheckOtherHTTPHeaders.
There was a problem in HDR_ACCEPT_LANGUAGE case.
It may read from TmpBuf larger amount than allocated,
since condition was always true.
Terminate RespInstr->AcceptLanguageHeader correctly.
Skip allocation if there is already sufficient buffer.
2012-03-10 Fabrice Fontaine <fabrice.fontaine(at)orange.com>
Remove some of the implicit cast in upnp part

17
upnp/src/genlib/net/http/webserver.c
View File

@ -894,8 +894,9 @@ static int CheckOtherHTTPHeaders(
/*NNS: dlist_node* node; */
int index, RetCode = HTTP_OK;
char *TmpBuf;
size_t TmpBufSize = LINE_SIZE;
TmpBuf = (char *)malloc(LINE_SIZE);
TmpBuf = (char *)malloc(TmpBufSize);
if (!TmpBuf)
return UPNP_E_OUTOF_MEMORY;
node = ListHead(&Req->headers);
@ -905,9 +906,10 @@ static int CheckOtherHTTPHeaders(
index = map_str_to_int((const char *)header->name.buf,
header->name.length, Http_Header_Names,
NUM_HTTP_HEADER_NAMES, FALSE);
if (header->value.length >= LINE_SIZE) {
if (header->value.length >= TmpBufSize) {
free(TmpBuf);
TmpBuf = (char *)malloc(header->value.length + 1);
TmpBufSize = header->value.length + 1;
TmpBuf = (char *)malloc(TmpBufSize);
if (!TmpBuf)
return UPNP_E_OUTOF_MEMORY;
}
@ -939,12 +941,13 @@ static int CheckOtherHTTPHeaders(
}
break;
case HDR_ACCEPT_LANGUAGE:
if (sizeof(TmpBuf) > sizeof(RespInstr->AcceptLanguageHeader)) {
memcpy(RespInstr->AcceptLanguageHeader, TmpBuf,
sizeof(RespInstr->AcceptLanguageHeader) - 1);
if (header->value.length + 1 > sizeof(RespInstr->AcceptLanguageHeader)) {
size_t length = sizeof(RespInstr->AcceptLanguageHeader) - 1;
memcpy(RespInstr->AcceptLanguageHeader, TmpBuf, length);
RespInstr->AcceptLanguageHeader[length] = '\0';
} else {
memcpy(RespInstr->AcceptLanguageHeader, TmpBuf,
sizeof(TmpBuf) - 1);
header->value.length + 1);
}
break;
default: