From f6e88d5b0a9c1e2cb2f6bf5e394f055116071fb7 Mon Sep 17 00:00:00 2001 From: Fabrice Fontaine Date: Mon, 5 Mar 2012 17:22:46 +0100 Subject: [PATCH] SF Bug Tracker id 3497033 - Buffer not null terminated in UpnpInit Submitted: Fabrice Fontaine ( ffontaine ) - 2012-03-05 06:42:18 PST gIF_IPV4, gIF_IPV6 and gIF_IPV6_ULA_GUA might be not null terminated. Moreover, gIF_IPV4 should be 16 characters (INET_ADDRSTRLEN) and not 22 and gIF_IPV6 should be 46 characters (INET6_ADDRSTRLEN) and not 65. --- ChangeLog | 10 ++++++++++ upnp/src/api/upnpapi.c | 21 ++++++++++++++------- upnp/src/inc/upnpapi.h | 8 +++----- 3 files changed, 27 insertions(+), 12 deletions(-) diff --git a/ChangeLog b/ChangeLog index eb7abc5..6f61c62 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,16 @@ Version 1.6.16 ******************************************************************************* +2012-03-05 Fabrice Fontaine + + SF Bug Tracker id 3497033 - Buffer not null terminated in UpnpInit + + Submitted: Fabrice Fontaine ( ffontaine ) - 2012-03-05 06:42:18 PST + + gIF_IPV4, gIF_IPV6 and gIF_IPV6_ULA_GUA might be not null terminated. + Moreover, gIF_IPV4 should be 16 characters (INET_ADDRSTRLEN) and not 22 + and gIF_IPV6 should be 46 characters (INET6_ADDRSTRLEN) and not 65. + 2012-03-05 Fabrice Fontaine Bug fix of lastest commit (parse_hostport) diff --git a/upnp/src/api/upnpapi.c b/upnp/src/api/upnpapi.c index df6370a..e4a4cf7 100644 --- a/upnp/src/api/upnpapi.c +++ b/upnp/src/api/upnpapi.c @@ -130,10 +130,10 @@ WebServerState bWebServerState = WEB_SERVER_DISABLED; char gIF_NAME[LINE_SIZE] = { '\0' }; /*! Static buffer to contain interface IPv4 address. (extern'ed in upnp.h) */ -char gIF_IPV4[22]/* INET_ADDRSTRLEN*/ = { '\0' }; +char gIF_IPV4[INET_ADDRSTRLEN] = { '\0' }; /*! Static buffer to contain interface IPv6 address. (extern'ed in upnp.h) */ -char gIF_IPV6[65]/* INET6_ADDRSTRLEN*/ = { '\0' }; +char gIF_IPV6[INET6_ADDRSTRLEN] = { '\0' }; /*! Static buffer to contain interface ULA or GUA IPv6 address. (extern'ed in upnp.h) */ char gIF_IPV6_ULA_GUA[INET6_ADDRSTRLEN] = { '\0' }; @@ -443,10 +443,11 @@ int UpnpInit(const char *HostIP, unsigned short DestPort) HostIP ? HostIP : "", DestPort); /* Verify HostIP, if provided, or find it ourselves. */ + memset(gIF_IPV4, 0, sizeof(gIF_IPV4)); if (HostIP != NULL) { - strncpy(gIF_IPV4, HostIP, sizeof(gIF_IPV4)); + strncpy(gIF_IPV4, HostIP, sizeof(gIF_IPV4) - 1); } else { - if( getlocalhostname( gIF_IPV4, sizeof(gIF_IPV4) ) != UPNP_E_SUCCESS ) { + if( getlocalhostname( gIF_IPV4, sizeof(gIF_IPV4) - 1 ) != UPNP_E_SUCCESS ) { retVal = UPNP_E_INIT_FAILED; goto exit_function; } @@ -3374,22 +3375,28 @@ int UpnpGetIfInfo(const char *IfName) if (inet_pton(AF_INET6, buf, &v6_addr) > 0) { if (IN6_IS_ADDR_ULA(&v6_addr)) { /* Got valid IPv6 ula. */ + memset(gIF_IPV6_ULA_GUA, 0, + sizeof(gIF_IPV6_ULA_GUA)); strncpy(gIF_IPV6_ULA_GUA, buf, sizeof - (gIF_IPV6_ULA_GUA)); + (gIF_IPV6_ULA_GUA) - 1); } else if (IN6_IS_ADDR_GLOBAL(&v6_addr) && strlen(gIF_IPV6_ULA_GUA) == 0) { /* got a GUA, should store it while no ULA is found */ + memset(gIF_IPV6_ULA_GUA, 0, + sizeof(gIF_IPV6_ULA_GUA)); strncpy(gIF_IPV6_ULA_GUA, buf, sizeof - (gIF_IPV6_ULA_GUA)); + (gIF_IPV6_ULA_GUA) - 1); } else if (IN6_IS_ADDR_LINKLOCAL(&v6_addr) && strlen(gIF_IPV6) == 0) { /* got a Link local IPv6 address. */ + memset(gIF_IPV6, 0, + sizeof(gIF_IPV6)); strncpy(gIF_IPV6, buf, - sizeof(gIF_IPV6)); + sizeof(gIF_IPV6) - 1); } } } diff --git a/upnp/src/inc/upnpapi.h b/upnp/src/inc/upnpapi.h index f8546fb..75ed8b6 100644 --- a/upnp/src/inc/upnpapi.h +++ b/upnp/src/inc/upnpapi.h @@ -2,7 +2,7 @@ * * Copyright (c) 2000-2003 Intel Corporation * All rights reserved. - * Copyright (C) 2011 France Telecom All rights reserved. + * Copyright (C) 2011-2012 France Telecom All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: @@ -182,10 +182,8 @@ Upnp_Handle_Type GetDeviceHandleInfo( extern char gIF_NAME[LINE_SIZE]; -/*! INET_ADDRSTRLEN. */ -extern char gIF_IPV4[22]; -/*! INET6_ADDRSTRLEN. */ -extern char gIF_IPV6[65]; +extern char gIF_IPV4[INET_ADDRSTRLEN]; +extern char gIF_IPV6[INET6_ADDRSTRLEN]; extern char gIF_IPV6_ULA_GUA[INET6_ADDRSTRLEN];