SF Bug Tracker id 3497033 - Buffer not null terminated in UpnpInit

Submitted: Fabrice Fontaine ( ffontaine ) - 2012-03-05 06:42:18 PST

gIF_IPV4, gIF_IPV6 and gIF_IPV6_ULA_GUA might be not null terminated.
Moreover, gIF_IPV4 should be 16 characters (INET_ADDRSTRLEN) and not 22
and gIF_IPV6 should be 46 characters (INET6_ADDRSTRLEN) and not 65.

ChangeLog

@@ -2,6 +2,16 @@
 Version 1.6.16
 *******************************************************************************
 
+2012-03-05 Fabrice Fontaine <fabrice.fontaine(at)orange.com>
+
+	SF Bug Tracker id 3497033 - Buffer not null terminated in UpnpInit
+
+	Submitted: Fabrice Fontaine ( ffontaine ) - 2012-03-05 06:42:18 PST
+
+	gIF_IPV4, gIF_IPV6 and gIF_IPV6_ULA_GUA might be not null terminated.
+	Moreover, gIF_IPV4 should be 16 characters (INET_ADDRSTRLEN) and not 22
+	and gIF_IPV6 should be 46 characters (INET6_ADDRSTRLEN) and not 65.
+
 2012-03-05 Fabrice Fontaine <fabrice.fontaine(at)orange.com>
 
 	Bug fix of lastest commit (parse_hostport)

upnp/src/api/upnpapi.c

@@ -130,10 +130,10 @@ WebServerState bWebServerState = WEB_SERVER_DISABLED;
 char gIF_NAME[LINE_SIZE] = { '\0' };
 
 /*! Static buffer to contain interface IPv4 address. (extern'ed in upnp.h) */
-char gIF_IPV4[22]/* INET_ADDRSTRLEN*/ = { '\0' };
+char gIF_IPV4[INET_ADDRSTRLEN] = { '\0' };
 
 /*! Static buffer to contain interface IPv6 address. (extern'ed in upnp.h) */
-char gIF_IPV6[65]/* INET6_ADDRSTRLEN*/ = { '\0' };
+char gIF_IPV6[INET6_ADDRSTRLEN] = { '\0' };
 
 /*! Static buffer to contain interface ULA or GUA IPv6 address. (extern'ed in upnp.h) */
 char gIF_IPV6_ULA_GUA[INET6_ADDRSTRLEN] = { '\0' };
@@ -443,10 +443,11 @@ int UpnpInit(const char *HostIP, unsigned short DestPort)
 		HostIP ? HostIP : "", DestPort);
 
 	/* Verify HostIP, if provided, or find it ourselves. */
+	memset(gIF_IPV4, 0, sizeof(gIF_IPV4));
 	if (HostIP != NULL) {
-		strncpy(gIF_IPV4, HostIP, sizeof(gIF_IPV4));
+		strncpy(gIF_IPV4, HostIP, sizeof(gIF_IPV4) - 1);
 	} else {
-		if( getlocalhostname( gIF_IPV4, sizeof(gIF_IPV4) ) != UPNP_E_SUCCESS ) {
+		if( getlocalhostname( gIF_IPV4, sizeof(gIF_IPV4) - 1 ) != UPNP_E_SUCCESS ) {
 			retVal = UPNP_E_INIT_FAILED;
 			goto exit_function;
 		}
@@ -3374,22 +3375,28 @@ int UpnpGetIfInfo(const char *IfName)
 				if (inet_pton(AF_INET6, buf, &v6_addr) > 0) {
 					if (IN6_IS_ADDR_ULA(&v6_addr)) {
 						/* Got valid IPv6 ula. */
+						memset(gIF_IPV6_ULA_GUA, 0,
+							sizeof(gIF_IPV6_ULA_GUA));
 						strncpy(gIF_IPV6_ULA_GUA, buf,
 							sizeof
-							(gIF_IPV6_ULA_GUA));
+							(gIF_IPV6_ULA_GUA) - 1);
 					} else if (IN6_IS_ADDR_GLOBAL(&v6_addr)
 						   && strlen(gIF_IPV6_ULA_GUA)
 						   == 0) {
 						/* got a GUA, should store it while no ULA is found */
+						memset(gIF_IPV6_ULA_GUA, 0,
+                                                        sizeof(gIF_IPV6_ULA_GUA));
 						strncpy(gIF_IPV6_ULA_GUA, buf,
 							sizeof
-							(gIF_IPV6_ULA_GUA));
+							(gIF_IPV6_ULA_GUA) - 1);
 					} else
 					    if (IN6_IS_ADDR_LINKLOCAL(&v6_addr)
 						&& strlen(gIF_IPV6) == 0) {
 						/* got a Link local IPv6 address. */
+						memset(gIF_IPV6, 0,
+                                                        sizeof(gIF_IPV6));
 						strncpy(gIF_IPV6, buf,
-							sizeof(gIF_IPV6));
+							sizeof(gIF_IPV6) - 1);
 					}
 				}
 			}

upnp/src/inc/upnpapi.h

@@ -2,7 +2,7 @@
  *
  * Copyright (c) 2000-2003 Intel Corporation 
  * All rights reserved. 
- * Copyright (C) 2011 France Telecom All rights reserved. 
+ * Copyright (C) 2011-2012 France Telecom All rights reserved. 
  *
  * Redistribution and use in source and binary forms, with or without 
  * modification, are permitted provided that the following conditions are met: 
@@ -182,10 +182,8 @@ Upnp_Handle_Type GetDeviceHandleInfo(
 
 
 extern char gIF_NAME[LINE_SIZE];
-/*! INET_ADDRSTRLEN. */
+extern char gIF_IPV4[INET_ADDRSTRLEN];
-extern char gIF_IPV4[22];
+extern char gIF_IPV6[INET6_ADDRSTRLEN];
-/*! INET6_ADDRSTRLEN. */
-extern char gIF_IPV6[65];
 
 extern char gIF_IPV6_ULA_GUA[INET6_ADDRSTRLEN];