This patch addresses three possible buffer overflows in function
unique_service_name(). The three issues have the folowing CVE
numbers:
CVE-2012-5958 Issue #2: Stack buffer overflow of Tempbuf
CVE-2012-5959 Issue #4: Stack buffer overflow of Event->UDN
CVE-2012-5960 Issue #8: Stack buffer overflow of Event->UDN
Notice that the following issues have already been dealt by previous
work:
CVE-2012-5961 Issue #1: Stack buffer overflow of Evt->UDN
CVE-2012-5962 Issue #3: Stack buffer overflow of Evt->DeviceType
CVE-2012-5963 Issue #5: Stack buffer overflow of Event->UDN
CVE-2012-5964 Issue #6: Stack buffer overflow of Event->DeviceType
CVE-2012-5965 Issue #7: Stack buffer overflow of Event->DeviceType
Wrong assignment by shutdown result hides the real error code
of NewRequestHandler() in ssdp_device.c.
Fix return code description of NewRequestHandler().
Handle return code from ithread_create in sample applications.
Remove unused assignments.
Sample applications share sample_util.c and collisions of
object file can occur in parallel build. Modify project files to
split intermediate directories against it.
Apply similar changes also to library projects, like vc10 projects.
In parser_parse_chunky_headers, parser->msg.msg.buf can be changed
by membuffer_delete call. Therefore if we save the pointer to
parser->msg.entity.buf before calling membuffer_delete, it will
induce access to released memory.
Add an additional INET_IPV6 exclusion around IPV6_MULTICAST_HOPS since
the definition isn't guaranteed to exist when the toolchain lacks IPv6
support.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
1. Test Instr before dereference it in http_RecvPostMessage.
(Though it never becomes NULL because NULL is not passed to
the static method)
2. Avoid strdup(NULL) in ixmlElement_setAttributeNS.
Those are detected by llvm scan-build.
The variable is declared as SOCKET, but it is used to
store return value of int receive_from_stopSock(...).
The type was changed in the commit
4b47e6a51d by mistake.
Add --enable-unspecified_server configure option to set to "Unspecified"
the OS name, OS version, product name and product version normally
contained in the SERVER header as this could be used by an attacker.
Submitted: Fabrice Fontaine ( ffontaine ) - 2012-03-29 07:36:34 PDT
Miniserver is disabled if ECXLUDE_GENA, EXCLUDE_SOAP and
EXCLUDE_WEBSERVER are set.
However, SSDP needs the Miniserver to answer to M-SEARCH requests.
So, MiniServer should not be disabled if EXCLUDE_SSDP is not also set.
Use INCLUDE_DEVICE_APIS instead of UPNP_HAVE_DEVICE as in other sources.
Don't use soap_device_callback if INCLUDE_DEVICE_APIS is not set,
otherwise link error occur on Windows.
Submitted: Yoichi NAKAYAMA ( yoichi ) - 2012-03-25 18:14:34 PDT
There are typos in upnp/src/inc/config.h "EXCLUDE_SSSDP" (shold be
EXCLUDE_SSDP), therefore EXCLUDE_SSDP is always 0, and --disable-ssdp
has no effect.
Cast parameters of htonl in uint32_t in IN6_IS_ADDR_GLOBAL and
IN6_IS_ADDR_ULA definitions.
Remove comparison with 0 in while statement of vfmatch,
http_SendMessage and http_MakeMessage.
GetDeviceHandleInfo just fail without using undefined member DeviceAf
if UPNP_HAVE_DEVICE is not defined.
Move ContentTypeHeader definition to soap_common.c, since it is
also used in soap_ctrlpt.c.
Check return code of ixmlDocument_CreateElementEx in
ixmlDocument_CreateElement.
Check return code of ixmlNode_setNodeName and ixmlNode_setNodeValue in
ixmlNode_cloneCDATASect and ixmlNode_cloneTextNode.
Comment unused SERVER from DeviceShutdown.
Comment unused max from parse_hostport.
Comment unused nodeptr from ixmlNode_cloneDoc.
Comment unused newNode from Parser_hasDefaultNamespace.
Comment unused Parser_parseReference function
Check return code of shutdown and display an error if needed.
src/genlib/net/http/httpreadwrite.c: In function ‘http_Download’:
src/genlib/net/http/httpreadwrite.c:790:5: warning: format ‘%d’ expects
type ‘int’, but argument 6 has type ‘size_t’
src/genlib/net/http/httpreadwrite.c:790:5: warning: format ‘%d’ expects
type ‘int’, but argument 7 has type ‘size_t’
(cherry picked from commit 5969530dcf)
Modify configure.ac to add --disable-optssdp option. This option will
remove OPT, 01-NLS and X_USER_AGENT headers from SSDP messages as those
headers are optional. If --disable-gena and disable-optssdp are both
used, uuid part will not be compiled anymore.
