Suppose the UPnP device is listening on 192.168.1.102:49152. Use the following to send
garbage bytes to the device:
while true; do echo "\""; done | netcat 192.168.1.102 49152
The device just keeps receiving these bytes and its memory usage keeps growing.
Malicious client may exploit it to exhaust the device's memory.
The attached patch eliminates this possibility.
(cherry picked from commit 9a9c4e829e)
1) restore the scanner's original cursor position in case of
insufficient input;
2) free the memories allocated for a new header in case of a failure.
(cherry picked from commit 7a571f513e)
it seems to me that there is still something wrong:
1) the new is_qdtext_char() is incorrect.
There is a trap if char is implemented as signed char.
Suppose that c is '\xFF', it will be -1 when converted to an int.
By definition, c should be qdtext:
qdtext = <any TEXT except <">>
TEXT = <any OCTET except CTLs, but including LWS>
OCTET = <any 8-bit sequence of data>
2) the character after '\\' could be either part of a quoted-pair
(together with '\\'), or a normal qdtext, since '\\' itself can
be treated as a qdtext. This is equivalent to saying that the
character after '\\' in a quoted string could be ANY octet.
A patch based on the above two observations is attached.
Peng
(cherry picked from commit f10730f616)
In soap_ctrlpt.c, in function get_response_value:
upnp_error_code is checked to see if it is less than 400 because that
would indicate a SOAP error code.
However it should be checked to see if it is greater than 400.
(cherry picked from commit 7b1aa4c9e3)
Dear libupnp-devels,
when POST'ing to the simple web server in libupnp, the application crashes.
This is caused by a missing "..." argument in webserver.c:1533.
Seems it has been there for a long time ... 1.6.9 and 1.6.18 have it.
webserver.c:1533 calls http_MakeMessage
/* Send response. */
http_MakeMessage(&headers, 1, 1,
"RTLSXcCc",
ret, "text/html", X_USER_AGENT);
The format parameter RTLSXcCc needs four arguments -
R - response code - ret,
T- content type - text/html,
L - struct SendInstruction * - NOT PRESENT
X - user agent - X_USER_AGENT
This results in a crash.
Changing to
http_MakeMessage(&headers, 1, 1,
"RTLSXcCc",
ret, "text/html", &RespInstr, X_USER_AGENT);
solves the situation.
Yours,
Sebastian Brandt
(cherry picked from commit 25c27b8af7)
upnp/sample/Makefile.am:67: warning: sort \
upnp/sample/Makefile.am:67: $(tv_ctrlpt_SOURCES: non-POSIX variable name
upnp/sample/Makefile.am:67: (probably a GNU make extension)
Reference:
http://debbugs.gnu.org/cgi/bugreport.cgi?bug=13771#8
(cherry picked from commit dcbbc30f5c)
This patch addresses three possible buffer overflows in function
unique_service_name(). The three issues have the folowing CVE
numbers:
CVE-2012-5958 Issue #2: Stack buffer overflow of Tempbuf
CVE-2012-5959 Issue #4: Stack buffer overflow of Event->UDN
CVE-2012-5960 Issue #8: Stack buffer overflow of Event->UDN
Notice that the following issues have already been dealt by previous
work:
CVE-2012-5961 Issue #1: Stack buffer overflow of Evt->UDN
CVE-2012-5962 Issue #3: Stack buffer overflow of Evt->DeviceType
CVE-2012-5963 Issue #5: Stack buffer overflow of Event->UDN
CVE-2012-5964 Issue #6: Stack buffer overflow of Event->DeviceType
CVE-2012-5965 Issue #7: Stack buffer overflow of Event->DeviceType
(cherry picked from commit f015a132e8)
This patch fixes a bug in non blocking connect call where the sock
option length for SO_ERROR was passed as 0 instead of sizeof(int).
(cherry picked from commit 6db2271ac3)
If device is disabled, SetGenaCallback definition is disabled,
but its call remains. A link error will occur in Win32.
(cherry picked from commit 4d21d45da7)
Wrong assignment by shutdown result hides the real error code
of NewRequestHandler() in ssdp_device.c.
Fix return code description of NewRequestHandler().
Handle return code from ithread_create in sample applications.
Remove unused assignments.
(forward ported from commit 39dfad2cba)
In parser_parse_chunky_headers, parser->msg.msg.buf can be changed
by membuffer_delete call. Therefore if we save the pointer to
parser->msg.entity.buf before calling membuffer_delete, it will
induce access to released memory.
(cherry picked from commit d72bb5cff5)
Add an additional INET_IPV6 exclusion around IPV6_MULTICAST_HOPS since
the definition isn't guaranteed to exist when the toolchain lacks IPv6
support.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
(cherry picked from commit 1c21e6e54f)
1. Test Instr before dereference it in http_RecvPostMessage.
(Though it never becomes NULL because NULL is not passed to
the static method)
2. Avoid strdup(NULL) in ixmlElement_setAttributeNS.
Those are detected by llvm scan-build.
(cherry picked from commit a383cbb8e2)
Define http_gmtime_r and web_server_asctime_r and use it.
Those prefix are added since pthread for Win32 already
has macro gmtime_r and asctime_r.
(forward port of commit 34a77cc095)
The variable is declared as SOCKET, but it is used to
store return value of int receive_from_stopSock(...).
The type was changed in the commit
4b47e6a51d by mistake.
(cherry picked from commit e10bc2ec0c)
Add --enable-unspecified_server configure option to set to "Unspecified"
the OS name, OS version, product name and product version normally
contained in the SERVER header as this could be used by an attacker.
(forward port of commit 49af91fe48)
Submitted: Fabrice Fontaine ( ffontaine ) - 2012-03-29 07:36:34 PDT
Miniserver is disabled if ECXLUDE_GENA, EXCLUDE_SOAP and
EXCLUDE_WEBSERVER are set.
However, SSDP needs the Miniserver to answer to M-SEARCH requests.
So, MiniServer should not be disabled if EXCLUDE_SSDP is not also set.
(cherry picked from commit 9a33782ab5)
Use INCLUDE_DEVICE_APIS instead of UPNP_HAVE_DEVICE as in other sources.
Don't use soap_device_callback if INCLUDE_DEVICE_APIS is not set,
otherwise link error occur on Windows.
(cherry picked from commit e0e81e6cd2)
Submitted: Yoichi NAKAYAMA ( yoichi ) - 2012-03-25 18:14:34 PDT
There are typos in upnp/src/inc/config.h "EXCLUDE_SSSDP" (shold be
EXCLUDE_SSDP), therefore EXCLUDE_SSDP is always 0, and --disable-ssdp
has no effect.
(cherry picked from commit 02afbb09c9)
Cast parameters of htonl in uint32_t in IN6_IS_ADDR_GLOBAL and
IN6_IS_ADDR_ULA definitions.
Remove comparison with 0 in while statement of vfmatch,
http_SendMessage and http_MakeMessage.
(cherry picked from commit 804088d859)
GetDeviceHandleInfo just fail without using undefined member DeviceAf
if UPNP_HAVE_DEVICE is not defined.
Move ContentTypeHeader definition to soap_common.c, since it is
also used in soap_ctrlpt.c.
(cherry picked from commit 679ebeec48)
Submitted: Marco Virgulti ( mvirg83 ) - 2012-03-23 10:08:08 PDT
There is a problem, perhaps, during downloading a document by
UpnpDownloadXmlDoc. During debugging i've found that in an not exported
api (unfortunately i forgot the code line...) where it is setted a
local variable "int timeout" to -1 then passed directly to another
function for sending data through tcp socket. I patched this setting it
to 0 (there is an IF section that exits if timeout < 0). It is normal
behavior or it is a bug?
Comment unused SERVER from DeviceShutdown.
Comment unused max from parse_hostport.
Comment unused nodeptr from ixmlNode_cloneDoc.
Comment unused newNode from Parser_hasDefaultNamespace.
Comment unused Parser_parseReference function
Check return code of shutdown and display an error if needed.
(forward port of commit cb07623dde)
Modify configure.ac to add --disable-optssdp option. This option will
remove OPT, 01-NLS and X_USER_AGENT headers from SSDP messages as those
headers are optional. If --disable-gena and disable-optssdp are both
used, uuid part will not be compiled anymore.
(cherry picked from commit 731512b0e5)
src/genlib/net/http/httpreadwrite.c: In function ‘http_Download’:
src/genlib/net/http/httpreadwrite.c:790:5: warning: format ‘%d’ expects
type ‘int’, but argument 6 has type ‘size_t’
src/genlib/net/http/httpreadwrite.c:790:5: warning: format ‘%d’ expects
type ‘int’, but argument 7 has type ‘size_t’
Change ret_code from int to parse_status_t in match.
Set back return code of ReadResponseLineAndHeaders from parse_status_t
to int as this function can return UPNP_E_BAD_HTTPMSG. As a result, do
not cast the result of this function into parse_status_t in
http_OpenHttpGetProxy and http_OpenHttpGetEx.
Use switch with PARSE_OK in parsetools.c.
Add missing explicit casts of integer constants in uri.c and
httpreadwrite.c.
Use switch, int and sa_family_t with AF_INET in uri.c.
Print an error in http_Download if realloc failed.
(forward port of commit b116d10f37)
Replace if statements with switch when using HND_DEVICE and HND_CLIENT
enum constants.
Correct also UpnpUnRegisterRootDeviceLowPower and UpnpUnRegisterClient
as those functions were wrongly awaiting an UPNP_E_INVALID_HANDLE
instead of HND_INVALID from GetHandleInfo.
(cherry picked from commit 1a083479a9)
Do not compile CreateClientRequestPacketUlaGua if IPv6 is disable.
Cast DestAddr->sa_family from sa_family_t into int when calling
CreateServicePacket as this function has been set back to accept int in
a692e591de.
Use switch instead of if with AF_INET and AF_INET6.
Add missing casts from AF_INET and AF_INET6 into sa_family_t when using
them to set sin_family and sin6_family.
Add missing explicit casts into size_t or lu when using integer
constants with strlen or unsigned long indexes.
Set SSDP_PAUSE to be unsigned as it is used with usleep.
(cherry picked from commit 850e6b4849)
