597 Commits

Author SHA1 Message Date
Marcelo Roberto Jimenez
3fc0f9ad1d Adjust the library numbers for release. release-1.6.19 2013-11-15 14:10:05 -02:00
Marcelo Roberto Jimenez
2211cc14e6 Access violation due to changed usage of pthreads-win32
SF Bug Tracker #119, Creator: Klaus Fischer

Dear libupnp developers,

I have experienced a crash (access violation) when using libupnp on
Windows. The crash is actually located in pthreads-win32 and happens
when repeatedly de-/initializing libupnp on Win32 in the same process
and both libupnp and pthreads-win32 are compiled as static libraries.

So I'm doing this:
- UpnpInit()
- UpnpFinish()
- UpnpInit() <- Crash

I am already in touch with Ross Johnson on the pthreads-win32 mailing
list regarding this issue:

http://sourceware.org/ml/pthreads-win32/2013/msg00020.html

He told me the problem is that the functions
pthread_win32_process_attach/detach_np() should no longer be called
directly, but are invoked automatically now since version 2.9.0 of
pthreads-win32, which has been released approx. 1.5 years ago. Please
refer to above link for in-depth information.

So for proper using of latest pthreads-win32 library, those function
calls should vanish inside libupnp. Could you consider adapting libupnp
in that way? I would really like to use both libraries out-of-the-box
without local modifications, and this issue prevents that.

Best regards,
Klaus
2013-11-14 15:06:31 -02:00
Peng
bf60dc06e0 Fix several minor bugs in soap_device.c
1) remove redundant free
2) avoid user-provided ErrStr being overwritten by the default one
3) eliminated memory leak possiblity in handle_query_variable

Signed-off-by: Marcelo Roberto Jimenez <mroberto@users.sourceforge.net>
2013-11-08 16:03:09 -02:00
Peng
908785fba7 Fix return value check of parse_uri
Signed-off-by: Marcelo Roberto Jimenez <mroberto@users.sourceforge.net>
2013-11-08 11:07:08 -02:00
Yoichi Nakayama
1a28e8ff51 tv_ctrlpt crashes after detecting a later version of tvcontrol service
SF Bug Tracker #118, Creator: T.Iwamoto

	From:  gon3456@users.sf.net
	Steps to reproduce:
	1. Extracts and build libupnp-1.6.18
	$ tar -xjf /path/to/archive/libupnp-1.6.18.tar.bz2
	$ cd libupnp-1.6.18
	$ ./configure
	$ make
	2. Applies the attached patch and remake.
	$ patch -p1 < /path/to/patch/libupnp-1.6.18.patch
	$ make
	3. Run tv_device.
	$ cd upnp/sample
	$ ./tv_device
	4. Run tv_ctrlpt; the tv_ctrlpt crashes soon.
	$ ./tv_ctrlpt
	Segmentation fault (core dumped)
	This is an issue report about the sample program of control point.
	The tv_ctrlpt crashes after detecting a tvdevice that contains tvcontrol:2 or higher version of tvcontrol service.
	tv_ctrlpt should detect correctly such devices due to forward compatibility of control points with device.
	For more information about the compatibility, please refer the following document:
	DLNA Architectures and Protocols Part 1 2011 December - 7.3.2.1.3 (GUN:GZJXU)
	The attached patch changes the sample programs as below:
	- device: changes version of tvcontrol service from 1 to 2. This change may occur in the future.
	- cp: nothing changed: cp knows version 1 of tvcontrol service only.
	I know many vendors implements their control points based on the tv_ctrlpt, so I hope to fix this issue ASAP.

	==

	From: Yoichi NAKAYAMA
	SEGV is caused by strcpy with NULL argument.
	Attached patch will avoid SEGV in strcpy, but there may be other inconsistencies.

	> I know many vendors implements their control points based on the tv_ctrlpt,

	I don't think so. I think tv_ctrlpt is just a sample to be used with tv_device.

Signed-off-by: Marcelo Roberto Jimenez <mroberto@users.sourceforge.net>
2013-10-29 17:55:23 -02:00
Pino Toscano
89ad5e6779 Fix compilation on GNU/Hurd 2013-10-28 14:01:11 -02:00
Peng
062ac0c926 Fix return value of http_RecvPostMessage and update httpparser.c's comments 2013-10-28 11:35:23 -02:00
Peng
06aa3b17c4 Fix return value of process_request and related subroutines
1) Only HTTP_XXX should be return
2) Make default return value work for process_request
2013-10-28 11:34:58 -02:00
Peng
9f444a680e Fix Content-Range generation bug 2013-10-28 11:34:52 -02:00
zexian chen
8e3a71905b Fix memory leaks when when calling ThreadPoolAdd() or ThreadPoolAddPersistent()
Hi,

I had found some bugs about memory leak on libupnp-1.6.18.

It may lead to memory leak  when calling ThreadPoolAdd() or
ThreadPoolAddPersistent() which does not return 0.

See the attachment for patch.
2013-09-10 17:27:07 -03:00
Peng
72c29ef1f6 Fix return value of config_description_doc.
UPNP_E_XXX should not be used instead of IXML_XXX
2013-09-04 09:57:33 -03:00
Peng
f6a3102b48 Remove faulty free in GetDescDocumentAndURL.
temp_str, which points to part of description, should not be freed.
2013-09-04 09:57:32 -03:00
Peng
9a9c4e829e Avoid malicious client exploit to exhaust the device's memory
Suppose the UPnP device is listening on 192.168.1.102:49152. Use the following to send
garbage bytes to the device:
while true; do echo "\""; done | netcat 192.168.1.102 49152

The device just keeps receiving these bytes and its memory usage keeps growing.
Malicious client may exploit it to exhaust the device's memory.

The attached patch eliminates this possibility.
2013-09-02 14:56:11 -03:00
Peng
7a571f513e Scanner problems
1) restore the scanner's original cursor position in case of
   insufficient input;
2) free the memories allocated for a new header in case of a failure.
2013-09-02 14:38:04 -03:00
Peng
f10730f616 Patch to fix behaviou when char is signed
it seems to me that there is still something wrong:

	1)  the new is_qdtext_char() is incorrect.
	There is a trap if char is implemented as signed char.
	Suppose that c is '\xFF', it will be -1 when converted to an int.
	By definition, c should be qdtext:
	qdtext = <any TEXT except <">>
	TEXT = <any OCTET except CTLs, but including LWS>
	OCTET = <any 8-bit sequence of data>

	2) the character after '\\' could be either part of a quoted-pair
	(together with '\\'), or a normal qdtext, since '\\' itself can
	be treated as a qdtext. This is equivalent to saying that the
	character after '\\' in a quoted string could be ANY octet.

	A patch based on the above two observations is attached.

	Peng
2013-08-16 14:16:47 -03:00
Marcelo Roberto Jimenez
c70f5ce323 Enforce RFC 2616 and accept "0" after a backslash for quoted-strings.
Reported by Peng <howtofly(at)gmail.com>
2013-08-14 09:51:41 -03:00
Peng
a3c540bc9b scanner_get_token: robustness improvement
Patch to make scanner_get_token more robust (avoid over-reading).
2013-08-14 09:22:43 -03:00
Robert Buckley
7b1aa4c9e3 SF ticket #53 Action Error Response not returned
In soap_ctrlpt.c, in function get_response_value:

upnp_error_code is checked to see if it is less than 400 because that
would indicate a SOAP error code.

However it should be checked to see if it is greater than 400.
2013-07-30 17:07:30 -03:00
Zheng Peng
907c7c2621 SF ticket #116 UpnpRemoveVirtualDir wrong linked list operation
What if pVirtualDirList has two nodes and what we want to delete is the
first one. Patch attached.
2013-07-30 16:02:14 -03:00
Sebastian Brandt
25c27b8af7 Fix for crash in webserver.c by Sebastian Brandt
Dear libupnp-devels,
when POST'ing to the simple web server in libupnp, the application crashes.
This is caused by a missing "..." argument in webserver.c:1533.
Seems it has been there for a long time ... 1.6.9 and 1.6.18 have it.

webserver.c:1533 calls http_MakeMessage
/* Send response. */
http_MakeMessage(&headers, 1, 1,
	 "RTLSXcCc",
	 ret, "text/html", X_USER_AGENT);
The format parameter RTLSXcCc needs four arguments -
R - response code - ret,
T- content type - text/html,
L - struct SendInstruction * - NOT PRESENT
X - user agent - X_USER_AGENT

This results in a crash.

Changing to
http_MakeMessage(&headers, 1, 1,
	 "RTLSXcCc",
	 ret, "text/html", &RespInstr, X_USER_AGENT);
solves the situation.

Yours,
Sebastian Brandt
2013-07-30 11:46:46 -03:00
Marcelo Roberto Jimenez
dcbbc30f5c Fix for portability issue with GNU make extension 'sort'
upnp/sample/Makefile.am:67: warning: sort \
upnp/sample/Makefile.am:67:                     $(tv_ctrlpt_SOURCES: non-POSIX variable name
upnp/sample/Makefile.am:67: (probably a GNU make extension)

Reference:
http://debbugs.gnu.org/cgi/bugreport.cgi?bug=13771#8
2013-07-30 11:26:09 -03:00
Marcelo Roberto Jimenez
3509991872 Fix for warning issue in libtool
Reference:
http://lists.gnu.org/archive/html/automake/2012-05/msg00014.html

Re: automake 1.12 and AM_PROG_AR

From:	 Nick Bowler
Subject:	 Re: automake 1.12 and AM_PROG_AR
Date:	 Thu, 10 May 2012 17:16:04 -0400
User-agent:	 Mutt/1.5.21 (2010-09-15)
On 2012-05-10 12:52 +0200, Simon Josefsson wrote:
> Hi,
>
> I have received patches similar to the one below for several of my
> projects already, and I'm beginning to think there may be something that
> could be improved in automake.  Why does automake 1.12 need something
> that 1.11 doesn't even recognize?  Perhaps a smoother way to introduce
> this behaviour is to let 1.12 automatically enable it?
>
> Alternatively, is there some other way to address the warnings that is
> better?  Does it indicate a real problem in my projects?
>
> http://lists.gnu.org/archive/html/help-libidn/2012-05/msg00000.html
> http://lists.gnu.org/archive/html/help-libidn/2012-05/txtqAGOGgtPqj.txt

FYI, since the patch is so short it would have been helpful to include
it inline in your email.  I've taken the liberty of reproducing it
below:

> --- libidn-1.24.orig/configure.ac
> +++ libidn-1.24/configure.ac
> @@ -34,6 +34,10 @@ AC_SUBST(LT_CURRENT, 17)
>  AC_SUBST(LT_REVISION, 7)
>  AC_SUBST(LT_AGE, 6)
>
> +# automake 1.12 seems to require this, but automake 1.11 doesn't recognize it
> +m4_pattern_allow([AM_PROG_AR])
> +AM_PROG_AR
> +
>  AC_PROG_CC
>  gl_EARLY
>  lgl_EARLY

First off, this patch seems wrong at a first glance by its use of
m4_pattern_allow: this is saying that "It's ok for AM_PROG_AR to appear
verbatim in the configure script".  This suggests to me that the patch
didn't actually get tested (well) on Automake 1.11, since there will
almost certainly be an error about AM_PROG_AR at configure time.

This one should actually work properly on both old and new Automake
(untested):

  m4_ifdef([AM_PROG_AR], [AM_PROG_AR])

That being said, the new warning is enabled by the -Wextra-portability
option that was added to Automake-1.12.  I'm by no means an export on
this issue, but I think it relates to new support for building with the
Microsoft compiler: in other words, I think that ignoring this warning
will not cause regressions in your package but, instead, your package
will simply not be able to make use of the new feature.

Regardless, I believe that for most packages the new warning is actually
caused by Libtool, and therefore the correct place to add the call to
AM_PROG_AR is in libtool itself, rather than ad-hoc patching of each
package individually.  You can silence the warnings (but not fix them)
by adding -Wno-extra-portability to AM_INIT_AUTOMAKE.

Cheers,
--
Nick Bowler, Elliptic Technologies (http://www.elliptictech.com/)
2013-07-30 10:39:30 -03:00
Marcelo Roberto Jimenez
6279b7fa5f Homekeeping for the next release. 2013-01-29 12:11:56 -02:00
Marcelo Roberto Jimenez
6cd1f11154 Adjust the library numbers for release. release-1.6.18 2013-01-29 12:04:00 -02:00
Marcelo Roberto Jimenez
f015a132e8 Security fix for CERT issue VU#922681
This patch addresses three possible buffer overflows in function
unique_service_name(). The three issues have the folowing CVE
numbers:

CVE-2012-5958 Issue #2: Stack buffer overflow of Tempbuf
CVE-2012-5959 Issue #4: Stack buffer overflow of Event->UDN
CVE-2012-5960 Issue #8: Stack buffer overflow of Event->UDN

Notice that the following issues have already been dealt by previous
work:

CVE-2012-5961 Issue #1: Stack buffer overflow of Evt->UDN
CVE-2012-5962 Issue #3: Stack buffer overflow of Evt->DeviceType
CVE-2012-5963 Issue #5: Stack buffer overflow of Event->UDN
CVE-2012-5964 Issue #6: Stack buffer overflow of Event->DeviceType
CVE-2012-5965 Issue #7: Stack buffer overflow of Event->DeviceType
2012-12-06 15:43:15 -02:00
Marcelo Roberto Jimenez
40e90e89fc Remove an unused variable 2012-06-20 21:34:01 -03:00
Marcelo Roberto Jimenez
40ddff1096 Remove an unused variable ifndef INET_IPV6 2012-06-20 21:26:05 -03:00
Marcelo Roberto Jimenez
692813d03e Remove a pointless way to test a return value 2012-06-20 21:15:01 -03:00
Yoichi NAKAYAMA
d9e90499b7 Fix memory leak and access violation in UpnpSendAction(Ex)Async.
Free buffers after malloc or ixmlPrintNode failure.
Free Param->Header before destructing Param.
2012-06-19 19:13:46 +09:00
Anoop Mohan
6db2271ac3 Fixes a bug in non blocking connect call
This patch fixes a bug in non blocking connect call where the sock
option length for SO_ERROR was passed as 0 instead of sizeof(int).
2012-05-25 11:59:21 -03:00
Yoichi NAKAYAMA
4d21d45da7 Disable SetGenaCallback call if device is disabled.
If device is disabled, SetGenaCallback definition is disabled,
but its call remains. A link error will occur in Win32.
2012-04-25 00:29:42 +09:00
Yoichi NAKAYAMA
708ea30806 Fix condition for allocation failure in get_content_type().
At the end of get_content_type() in webserver.c, it should check
return value of ixmlCloneDOMString().
2012-04-21 21:48:55 +09:00
Yoichi NAKAYAMA
39dfad2cba Fix problems detected as dead assignment warning by clang scan-build.
Wrong assignment by shutdown result hides the real error code
of NewRequestHandler() in ssdp_device.c.
Fix return code description of NewRequestHandler().
Handle return code from ithread_create in sample applications.
Remove unused assignments.
2012-04-21 11:38:20 +09:00
Yoichi NAKAYAMA
3d7c1dbd59 Avoid dereference of null pointer in ixmlNode_setNodeProperties.
The problem can occur if one of the arguments is NULL.
Test argument and fix assertion.
2012-04-21 01:48:47 +09:00
Yoichi NAKAYAMA
e52e7e0bd3 Create intermediate directory per project on vc9.
Sample applications share sample_util.c and collisions of
object file can occur in parallel build. Modify project files to
split intermediate directories against it.
Apply similar changes also to library projects, like vc10 projects.
2012-04-17 20:40:51 +09:00
Thijs Schreijer
d5d680d131 Updated the readme regarding the newer visual studio versions and the 'VC runtime dependency hell'
(cherry picked from commit e570b7943d6835778c0055985cac5f83fa012535)
2012-04-11 20:17:37 -03:00
Thijs Schreijer
7ee266076d Added pthreads folder back in, put in on the ignore list this time so it won't be included in the repository 2012-04-11 20:16:37 -03:00
Thijs Schreijer
90fad896c4 - Copied the VC9 build directory and renamed to VC10 to prepare for Visual Studio 2010 update - Upgraded build/VC10 dir from VC9 to VC10 (using wizard) - Updated the Debug build configuration to be functional, including references for pthread.dll and the web example folders. Other build configurations still to be fixed. - Added output directory to GIT-ignore list. - Updated the Win32 build configurations to make them all work. x64 remains to be done. - Updated build process, after build events (copying sample files and pthreadVC2.dll to the target directory)
(cherry picked from commit e385d5a27e22049270a2ac71cca7924ce95073c5)
2012-04-11 20:13:00 -03:00
Marcelo Roberto Jimenez
0ea9c438e5 Update THANKS file 2012-04-11 17:42:22 -03:00
Marcelo Roberto Jimenez
c661180d15 Add errno.h inclusion in unixutil.h only in WIN32 2012-04-11 17:41:51 -03:00
Thijs Schreijer
1a98394781 Fixed warning by adding an explicit cast to long; TimerThread.c ..\..\threadutil\src\TimerThread.c(110): warning C4244: '=' : conversion from 'time_t' to 'long', possible loss of data 2012-04-11 17:39:13 -03:00
Thijs Schreijer
89fe655aee Fixed redefinition warnings for EAFNOSUPPORT and EADDRINUSE, Google turned up that they are newly defined in VS2010
unixutil.h, line 41
upnputil.h, line 125

Had a look here; http://bugs.ruby-lang.org/issues/3092 and added the mentioned fixes as found here; http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/trunk/include/ruby/win32.h?r1=27222&r2=27236&pathrev=27258&diff_format=h and here http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/trunk/include/ruby/win32.h?r1=27236&r2=27258&pathrev=27258&diff_format=h
2012-04-11 17:39:08 -03:00
Yoichi NAKAYAMA
d72bb5cff5 Avoid access violation after parser_parse_chunky_headers call.
In parser_parse_chunky_headers, parser->msg.msg.buf can be changed
by membuffer_delete call. Therefore if we save the pointer to
parser->msg.entity.buf before calling membuffer_delete, it will
induce access to released memory.
2012-04-12 01:51:12 +09:00
Marcelo Roberto Jimenez
e02753736a Update THANKS file. 2012-04-11 12:00:33 -03:00
Gustavo Zacarias
1c21e6e54f ssdp_device: exclude IPv6 stuff when there's no IPv6
Add an additional INET_IPV6 exclusion around IPV6_MULTICAST_HOPS since
the definition isn't guaranteed to exist when the toolchain lacks IPv6
support.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
2012-04-11 11:56:40 -03:00
Yoichi NAKAYAMA
a383cbb8e2 Remove possibility of access violation.
1. Test Instr before dereference it in http_RecvPostMessage.
(Though it never becomes NULL because NULL is not passed to
the static method)
2. Avoid strdup(NULL) in ixmlElement_setAttributeNS.
Those are detected by llvm scan-build.
2012-04-06 23:21:18 +09:00
Yoichi NAKAYAMA
34a77cc095 SF Bug Tracker id 3507819 - Use of thread-unsafe gmtime() in httpreadwrite.c
Define http_gmtime_r and web_server_asctime_r and use it.
Those prefix are added since pthread for Win32 already
has macro gmtime_r and asctime_r.
2012-04-06 03:13:43 +09:00
Yoichi NAKAYAMA
e10bc2ec0c Fix type of local variable stopSock in RunMiniServer()
The variable is declared as SOCKET, but it is used to
store return value of int receive_from_stopSock(...).
The type was changed in the commit
4b47e6a51d9c7049a862695b68de75699e023551 by mistake.
2012-04-06 00:07:56 +09:00
Fabrice Fontaine
777c936f4c Compilation optimisation
Do not compile the code related to the webserver in http_SendMessage
when --disable-webserver is set
2012-04-03 16:11:31 +02:00
Marcelo Roberto Jimenez
04c1bf3fb0 White space fix. 2012-04-03 09:59:58 -03:00