2010-09-10 Jean Sigwald <jean.sigwald(at)orange-ftgroup.com>

I discovered a reliable denial-of-service issue on the last stable
release of libupnp (1.6.6) remotely triggerable by any
unauthenticated user. The issue is related with a bad parsing of
malformed XML.
(cherry picked from commit 25a4bd6d25)

ChangeLog

@@ -2,6 +2,12 @@
 Version 1.8.0
 *******************************************************************************
 
+2010-09-10 Jean Sigwald <jean.sigwald(at)orange-ftgroup.com>
+	I discovered a reliable denial-of-service issue on the last stable
+	release of libupnp (1.6.6) remotely triggerable by any
+	unauthenticated user. The issue is related with a bad parsing of
+	malformed XML.
+
 2010-09-10 Chandra Penke <chandrapenke(at)mcntech.com>
 	* SF Patch Tracker [ 2854711 ] Patch for Solaris10 compilation and usage
 	Submitted By: zephyrus ( zephyrus00jp )

ixml/src/ixmlparser.c

@@ -582,11 +582,14 @@ static int Parser_isValidEndElement(
 	IXML_Node *newNode)
 {
 	assert(xmlParser);
-	assert(xmlParser->pCurElement);
 	assert(xmlParser->pCurElement->element);
 	assert(newNode);
 	assert(newNode->nodeName);
 
+	if (xmlParser->pCurElement == NULL) {
+		return 0;
+	}
+
 	return strcmp(xmlParser->pCurElement->element, newNode->nodeName) == 0;
 }