836 Commits

Author SHA1 Message Date
Dirk
b252df8298 #121 Support css files in webserver
Signed-off-by: Marcelo Roberto Jimenez <mroberto@users.sourceforge.net>
(cherry picked from commit 72460df7475f9fb1e391e0c6f2d9c59eaf2303de)
2014-09-26 13:55:23 -03:00
Philipp Matthias Hahn
c7f60be9ef Add unit test for parse_uri()
Tested through the public function UpnpResolveURL2().

Signed-off-by: Marcelo Roberto Jimenez <mroberto@users.sourceforge.net>
(cherry picked from commit a596abfbe3c16768468d68124bc728f4060e5e0a)
2014-09-22 12:00:02 -03:00
Philipp Matthias Hahn
b0af3dda34 Fix remove_dots()
Rewrite to handle all normal and abnormal examples mentioned in RFC 3986
section 5.4.
The previous implementation failed the following test cases:

'http://www.libupnp.org/path1/path1' | '#frag1' -> 'http://www.libupnp.org/path1/#frag1' != 'http://www.libupnp.org/path1/path1#frag1' (0)
'http://127.0.0.1:6544/getDeviceDesc' | 'CDS_Event' -> 'http://127.0.0.1:6544/CDS_EventDesc' != 'http://127.0.0.1:6544/CDS_Event' (0)
'http://localhost/b/c/d;p?q' | 'g' -> 'http://localhost/b/c/g;p' != 'http://localhost/b/c/g' (0)
'http://localhost/b/c/d;p?q' | 'g/' -> 'http://localhost/b/c/g/p' != 'http://localhost/b/c/g/' (0)
'http://localhost/b/c/d;p?q' | '?y' -> 'http://localhost/b/c/?yp' != 'http://localhost/b/c/d;p?y' (0)
'http://localhost/b/c/d;p?q' | '#s' -> 'http://localhost/b/c/#sp' != 'http://localhost/b/c/d;p?q#s' (0)
'http://localhost/b/c/d;p?q' | ';x' -> 'http://localhost/b/c/;xp' != 'http://localhost/b/c/;x' (0)
'http://localhost/b/c/d;p?q' | '.' -> 'http://localhost/b/c/.;p' != 'http://localhost/b/c/' (0)
'http://localhost/b/c/d;p?q' | './' -> 'http://localhost/b/c/p' != 'http://localhost/b/c/' (0)
'http://localhost/b/c/d;p?q' | '..' -> 'http://localhost/b/c/..p' != 'http://localhost/b/' (0)
'http://localhost/b/c/d;p?q' | '/./g' -> 'http://localhost/./g' != 'http://localhost/g' (0)
'http://localhost/b/c/d;p?q' | '/../g' -> 'http://localhost/../g' != 'http://localhost/g' (0)
'http://localhost/b/c/d;p?q' | 'g.' -> 'http://localhost/b/c/g.p' != 'http://localhost/b/c/g.' (0)
'http://localhost/b/c/d;p?q' | '.g' -> 'http://localhost/b/c/.gp' != 'http://localhost/b/c/.g' (0)

Signed-off-by: Marcelo Roberto Jimenez <mroberto@users.sourceforge.net>
(cherry picked from commit fbbb24f4063bf01013e988afba0e796a6d8dc52e)
2014-09-22 12:00:02 -03:00
Philipp Matthias Hahn
ef6a6df0b0 Fix resolve_rel_url()
This reworks commit 0edaf3361db01425cae0daee7dc3f6039f381a17, which
broke resolving relative url, where the relative URL is shorter than the
absolute URL:
    "http://127.0.0.1:6544/getDeviceDesc" + "CDS_Event"
    Wrong: "http://127.0.0.1:6544/CDS_EventDesc"
    Right: "http://127.0.0.1:6544/CDS_Event"

While reviewing that commit, improve code by:
1. Move the simple cases to the beginning of the function.
2. Keep track of the remaining target buffer size.
3. Fix URI concatenation with queries.
4. Fix URI concatenation with fragments.

Signed-off-by: Marcelo Roberto Jimenez <mroberto@users.sourceforge.net>
(cherry picked from commit 0508fb0d6e55a9066f3722843aa782632d302276)
2014-09-22 11:36:10 -03:00
Philipp Matthias Hahn
814d15bdb1 Fix broken strncat(..., strlen())
commit 0edaf3361db01425cae0daee7dc3f6039f381a17 replaced several
malloc()+strcat() sequences with strncat() using strlen() on the
*source* string.
This is still vulnerable to overwrite the *target* buffer.

While reviewing this commit change the code to directly use snprintf()
for concatenating strings and check the length of the target buffer.

Signed-off-by: Marcelo Roberto Jimenez <mroberto@users.sourceforge.net>
(cherry picked from commit 848d66e69daf30d3b64db1450618cd819c370ad4)
2014-09-22 11:36:10 -03:00
Philipp Matthias Hahn
0398b1fc75 Directly use strdup()
commit 0edaf3361db01425cae0daee7dc3f6039f381a17 replaced several
malloc()+strcpy() sequences with memset()+strncpy() using strlen().
This doesn't improve security and introduced a bug URI handling.

While reviewing this commit change the code to directly use strdup()
instead of re-implementing it multiple times, as shortens the code and
thus improves readability.

Signed-off-by: Marcelo Roberto Jimenez <mroberto@users.sourceforge.net>
(cherry picked from commit 04fb68432330c3a622161dda98dbe1b30eaa0927)
2014-09-22 11:36:10 -03:00
Fabrice Fontaine
11f05dc09d Fix getaddrinfo() loop
Commit b116d10f did the following change:
    Use switch, int and sa_family_t with AF_INET in uri.c.

This breaks when getaddrinfo() only returns a single record, as in that
case the "break" only exits the switch statement and the loop-step
"res=res->ai_next" is still executed. After that "res == NULL" is
wrongly interpreted as not having found an AF_INET or AF_INET6 address.

Signed-off-by: Marcelo Roberto Jimenez <mroberto@users.sourceforge.net>
(cherry picked from commit faaef39a3c559cc0ffc60191c7b9b5179b5ab9a3)
2014-09-22 11:36:10 -03:00
Peng
153d71f10b Fix memory leaks caused by DOMString members.
Signed-off-by: Marcelo Roberto Jimenez <mroberto@users.sourceforge.net>
2014-02-20 14:18:02 -03:00
Peng
c293ad00c4 rewrite soap_device.c
1) separate HTTP handling from SOAP handling
2) remove repeated validity check, each check is performed exactly once
3) fix HTTP status code per UPnP spec, SOAP spec and RFC 2774

Conflicts:
	ChangeLog
	upnp/src/soap/soap_device.c

Signed-off-by: Marcelo Roberto Jimenez <mroberto@users.sourceforge.net>
2014-02-20 14:15:35 -03:00
Marcelo Roberto Jimenez
44af14f387 Access violation due to changed usage of pthreads-win32
SF Bug Tracker #119, Creator: Klaus Fischer

Dear libupnp developers,

I have experienced a crash (access violation) when using libupnp on
Windows. The crash is actually located in pthreads-win32 and happens
when repeatedly de-/initializing libupnp on Win32 in the same process
and both libupnp and pthreads-win32 are compiled as static libraries.

So I'm doing this:
- UpnpInit()
- UpnpFinish()
- UpnpInit() <- Crash

I am already in touch with Ross Johnson on the pthreads-win32 mailing
list regarding this issue:

http://sourceware.org/ml/pthreads-win32/2013/msg00020.html

He told me the problem is that the functions
pthread_win32_process_attach/detach_np() should no longer be called
directly, but are invoked automatically now since version 2.9.0 of
pthreads-win32, which has been released approx. 1.5 years ago. Please
refer to above link for in-depth information.

So for proper using of latest pthreads-win32 library, those function
calls should vanish inside libupnp. Could you consider adapting libupnp
in that way? I would really like to use both libraries out-of-the-box
without local modifications, and this issue prevents that.

Best regards,
Klaus
(cherry picked from commit 2211cc14e644db48d8ea8dac34b02d6dc7b8c3c7)
2013-11-14 15:14:44 -02:00
Peng
82cf12b9ed Fix several minor bugs in soap_device.c
1) remove redundant free
2) avoid user-provided ErrStr being overwritten by the default one
3) eliminated memory leak possiblity in handle_query_variable

Signed-off-by: Marcelo Roberto Jimenez <mroberto@users.sourceforge.net>
(cherry picked from commit bf60dc06e060583d8befdb23df566b6a27b062f0)

Conflicts:
	upnp/src/soap/soap_device.c
2013-11-08 16:11:20 -02:00
Peng
a65f3cebb3 Fix return value check of parse_uri
Signed-off-by: Marcelo Roberto Jimenez <mroberto@users.sourceforge.net>
(cherry picked from commit 908785fba779bd5ea0bcf7b6a19a9bf345d37eb3)
2013-11-08 11:10:00 -02:00
Yoichi Nakayama
9a8758399c tv_ctrlpt crashes after detecting a later version of tvcontrol service
SF Bug Tracker #118, Creator: T.Iwamoto

	From:  gon3456@users.sf.net
	Steps to reproduce:
	1. Extracts and build libupnp-1.6.18
	$ tar -xjf /path/to/archive/libupnp-1.6.18.tar.bz2
	$ cd libupnp-1.6.18
	$ ./configure
	$ make
	2. Applies the attached patch and remake.
	$ patch -p1 < /path/to/patch/libupnp-1.6.18.patch
	$ make
	3. Run tv_device.
	$ cd upnp/sample
	$ ./tv_device
	4. Run tv_ctrlpt; the tv_ctrlpt crashes soon.
	$ ./tv_ctrlpt
	Segmentation fault (core dumped)
	This is an issue report about the sample program of control point.
	The tv_ctrlpt crashes after detecting a tvdevice that contains tvcontrol:2 or higher version of tvcontrol service.
	tv_ctrlpt should detect correctly such devices due to forward compatibility of control points with device.
	For more information about the compatibility, please refer the following document:
	DLNA Architectures and Protocols Part 1 2011 December - 7.3.2.1.3 (GUN:GZJXU)
	The attached patch changes the sample programs as below:
	- device: changes version of tvcontrol service from 1 to 2. This change may occur in the future.
	- cp: nothing changed: cp knows version 1 of tvcontrol service only.
	I know many vendors implements their control points based on the tv_ctrlpt, so I hope to fix this issue ASAP.

	==

	From: Yoichi NAKAYAMA
	SEGV is caused by strcpy with NULL argument.
	Attached patch will avoid SEGV in strcpy, but there may be other inconsistencies.

	> I know many vendors implements their control points based on the tv_ctrlpt,

	I don't think so. I think tv_ctrlpt is just a sample to be used with tv_device.

Signed-off-by: Marcelo Roberto Jimenez <mroberto@users.sourceforge.net>
(cherry picked from commit 1a28e8ff517f58a174a26cbd15e1e9dd7d060127)
2013-10-29 17:57:46 -02:00
Pino Toscano
89d34af3bd Fix compilation on GNU/Hurd
(cherry picked from commit 89ad5e67791f947ea6a13c83dbdd0bc02184b231)
2013-10-28 14:30:37 -02:00
Peng
4e87527eb6 Fix return value of http_RecvPostMessage and update httpparser.c's comments
(cherry picked from commit 062ac0c92621e1ace5e7400c8d3509327fd5c4ce)
2013-10-28 13:31:11 -02:00
Peng
a01cf2817a Fix return value of process_request and related subroutines
1) Only HTTP_XXX should be return
2) Make default return value work for process_request
(cherry picked from commit 06aa3b17c4e20c482de3865b4e8608077db8284b)

Conflicts:
	upnp/src/genlib/net/http/webserver.c
2013-10-28 13:28:57 -02:00
Peng
4f630b1213 Fix Content-Range generation bug
(cherry picked from commit 9f444a680e4f15cd670b94591406ddd3f2fbcf0b)
2013-10-28 12:02:51 -02:00
zexian chen
c5777ae747 Fix memory leaks when when calling ThreadPoolAdd() or ThreadPoolAddPersistent()
Hi,

I had found some bugs about memory leak on libupnp-1.6.18.

It may lead to memory leak  when calling ThreadPoolAdd() or
ThreadPoolAddPersistent() which does not return 0.

See the attachment for patch.
(cherry picked from commit 8e3a71905bc763332da9531285c507c2470989ae)

Conflicts:
	upnp/src/ssdp/ssdp_ctrlpt.c
2013-09-10 17:55:23 -03:00
Peng
490b0a5c86 Fix return value of config_description_doc.
UPNP_E_XXX should not be used instead of IXML_XXX
(cherry picked from commit 72c29ef1f6f4ba544f4a1a6d97428becca940301)
2013-09-04 11:20:11 -03:00
Peng
0c92ca4014 Remove faulty free in GetDescDocumentAndURL.
temp_str, which points to part of description, should not be freed.
(cherry picked from commit f6a3102b487f415895a95a0554ae66b092333c79)
2013-09-04 11:20:11 -03:00
Peng
1a8a8228e4 Avoid malicious client exploit to exhaust the device's memory
Suppose the UPnP device is listening on 192.168.1.102:49152. Use the following to send
garbage bytes to the device:
while true; do echo "\""; done | netcat 192.168.1.102 49152

The device just keeps receiving these bytes and its memory usage keeps growing.
Malicious client may exploit it to exhaust the device's memory.

The attached patch eliminates this possibility.
(cherry picked from commit 9a9c4e829ea059bafc80d5fb568223a8b2068b28)
2013-09-02 14:57:37 -03:00
Peng
2c663643dd Scanner problems
1) restore the scanner's original cursor position in case of
   insufficient input;
2) free the memories allocated for a new header in case of a failure.
(cherry picked from commit 7a571f513e801f071873f2627400461b04213b13)
2013-09-02 14:50:05 -03:00
Peng
8bcc4b41d1 Patch to fix behaviou when char is signed
it seems to me that there is still something wrong:

	1)  the new is_qdtext_char() is incorrect.
	There is a trap if char is implemented as signed char.
	Suppose that c is '\xFF', it will be -1 when converted to an int.
	By definition, c should be qdtext:
	qdtext = <any TEXT except <">>
	TEXT = <any OCTET except CTLs, but including LWS>
	OCTET = <any 8-bit sequence of data>

	2) the character after '\\' could be either part of a quoted-pair
	(together with '\\'), or a normal qdtext, since '\\' itself can
	be treated as a qdtext. This is equivalent to saying that the
	character after '\\' in a quoted string could be ANY octet.

	A patch based on the above two observations is attached.

	Peng
(cherry picked from commit f10730f616bc1ceff05b3987ffc8fcf3492f0f5b)
2013-08-16 14:17:40 -03:00
Marcelo Roberto Jimenez
61d2950fa5 Enforce RFC 2616 and accept "0" after a backslash for quoted-strings.
Reported by Peng <howtofly(at)gmail.com>
(cherry picked from commit c70f5ce323502e04f19e4c126c3235a14a1ce359)
2013-08-14 09:59:47 -03:00
Peng
cf8c0d0a93 scanner_get_token: robustness improvement
Patch to make scanner_get_token more robust (avoid over-reading).
(cherry picked from commit a3c540bc9ba74560239e2a906db4846fcdbec90e)
2013-08-14 09:59:47 -03:00
Marcelo Roberto Jimenez
4a78847fb9 White spaces 2013-07-31 17:25:52 -03:00
Marcelo Roberto Jimenez
e1813ed702 Merge remote-tracking branch 'origin/master' 2013-07-30 17:19:41 -03:00
Robert Buckley
396b7ae639 SF ticket #53 Action Error Response not returned
In soap_ctrlpt.c, in function get_response_value:

upnp_error_code is checked to see if it is less than 400 because that
would indicate a SOAP error code.

However it should be checked to see if it is greater than 400.
(cherry picked from commit 7b1aa4c9e30e95461dfc16fa8c30775fc2bba7cf)
2013-07-30 17:08:19 -03:00
Zheng Peng
a641a27cb6 SF ticket #116 UpnpRemoveVirtualDir wrong linked list operation
What if pVirtualDirList has two nodes and what we want to delete is the
first one. Patch attached.
(cherry picked from commit 907c7c2621f8b2323b6bd8227ec082ce41c0a292)
2013-07-30 16:05:57 -03:00
Sebastian Brandt
97b6be674a Fix for crash in webserver.c by Sebastian Brandt
Dear libupnp-devels,
when POST'ing to the simple web server in libupnp, the application crashes.
This is caused by a missing "..." argument in webserver.c:1533.
Seems it has been there for a long time ... 1.6.9 and 1.6.18 have it.

webserver.c:1533 calls http_MakeMessage
/* Send response. */
http_MakeMessage(&headers, 1, 1,
	 "RTLSXcCc",
	 ret, "text/html", X_USER_AGENT);
The format parameter RTLSXcCc needs four arguments -
R - response code - ret,
T- content type - text/html,
L - struct SendInstruction * - NOT PRESENT
X - user agent - X_USER_AGENT

This results in a crash.

Changing to
http_MakeMessage(&headers, 1, 1,
	 "RTLSXcCc",
	 ret, "text/html", &RespInstr, X_USER_AGENT);
solves the situation.

Yours,
Sebastian Brandt
(cherry picked from commit 25c27b8af7918a46c9a666e51a125e8c12c709d7)
2013-07-30 15:35:03 -03:00
Marcelo Roberto Jimenez
da34d1ecfe Fix for portability issue with GNU make extension 'sort'
upnp/sample/Makefile.am:67: warning: sort \
upnp/sample/Makefile.am:67:                     $(tv_ctrlpt_SOURCES: non-POSIX variable name
upnp/sample/Makefile.am:67: (probably a GNU make extension)

Reference:
http://debbugs.gnu.org/cgi/bugreport.cgi?bug=13771#8
(cherry picked from commit dcbbc30f5c41746a8c8b671dade799760b432fb1)
2013-07-30 15:32:13 -03:00
Marcelo Roberto Jimenez
fb04f12a8a Fix for warning issue in libtool
Reference:
http://lists.gnu.org/archive/html/automake/2012-05/msg00014.html

Re: automake 1.12 and AM_PROG_AR

From:	 Nick Bowler
Subject:	 Re: automake 1.12 and AM_PROG_AR
Date:	 Thu, 10 May 2012 17:16:04 -0400
User-agent:	 Mutt/1.5.21 (2010-09-15)
On 2012-05-10 12:52 +0200, Simon Josefsson wrote:
> Hi,
>
> I have received patches similar to the one below for several of my
> projects already, and I'm beginning to think there may be something that
> could be improved in automake.  Why does automake 1.12 need something
> that 1.11 doesn't even recognize?  Perhaps a smoother way to introduce
> this behaviour is to let 1.12 automatically enable it?
>
> Alternatively, is there some other way to address the warnings that is
> better?  Does it indicate a real problem in my projects?
>
> http://lists.gnu.org/archive/html/help-libidn/2012-05/msg00000.html
> http://lists.gnu.org/archive/html/help-libidn/2012-05/txtqAGOGgtPqj.txt

FYI, since the patch is so short it would have been helpful to include
it inline in your email.  I've taken the liberty of reproducing it
below:

> --- libidn-1.24.orig/configure.ac
> +++ libidn-1.24/configure.ac
> @@ -34,6 +34,10 @@ AC_SUBST(LT_CURRENT, 17)
>  AC_SUBST(LT_REVISION, 7)
>  AC_SUBST(LT_AGE, 6)
>
> +# automake 1.12 seems to require this, but automake 1.11 doesn't recognize it
> +m4_pattern_allow([AM_PROG_AR])
> +AM_PROG_AR
> +
>  AC_PROG_CC
>  gl_EARLY
>  lgl_EARLY

First off, this patch seems wrong at a first glance by its use of
m4_pattern_allow: this is saying that "It's ok for AM_PROG_AR to appear
verbatim in the configure script".  This suggests to me that the patch
didn't actually get tested (well) on Automake 1.11, since there will
almost certainly be an error about AM_PROG_AR at configure time.

This one should actually work properly on both old and new Automake
(untested):

  m4_ifdef([AM_PROG_AR], [AM_PROG_AR])

That being said, the new warning is enabled by the -Wextra-portability
option that was added to Automake-1.12.  I'm by no means an export on
this issue, but I think it relates to new support for building with the
Microsoft compiler: in other words, I think that ignoring this warning
will not cause regressions in your package but, instead, your package
will simply not be able to make use of the new feature.

Regardless, I believe that for most packages the new warning is actually
caused by Libtool, and therefore the correct place to add the call to
AM_PROG_AR is in libtool itself, rather than ad-hoc patching of each
package individually.  You can silence the warnings (but not fix them)
by adding -Wno-extra-portability to AM_INIT_AUTOMAKE.

Cheers,
--
Nick Bowler, Elliptic Technologies (http://www.elliptictech.com/)
(cherry picked from commit 350999187285300b1b7dec574cc745617e239bec)
2013-07-30 15:32:13 -03:00
Marcelo Roberto Jimenez
d2d33c3edb Update build/inc/autoconfig.h 2013-06-01 17:49:16 -03:00
Marcelo Roberto Jimenez
4b503acd36 Removed C++ comment 2013-06-01 17:48:00 -03:00
Thijs Schreijer
3daa9bb688 updated VS solution and project with renamed IXML_HAVE_SCRIPTSUPPORT 2013-04-29 09:55:25 +02:00
Thijs Schreijer
85922c0823 renamed SCRIPSUPPORT to IXML_HAVE_SCRIPTSUPPORT for consistency. Changed default to scriptsupport being enabled. 2013-04-27 14:58:32 +02:00
Thijs Schreijer
31acda9688 reverted the uuid functions export, too complicated to export them properly in the upnp.so file. 2013-04-27 09:30:29 +02:00
Thijs Schreijer
549313de44 passing the SCRIPTSUPPORT directive on to the IXML makefile 2013-04-27 08:24:22 +02:00
Thijs Schreijer
c45b279d6f additional header to be installed for *nix to export the uuid functions 2013-04-26 18:43:06 +02:00
Thijs Schreijer
0a5bf524cb added uuid.h to installed header files list, and added SCRIPTSUPPORT to the autoconf configure.ac file 2013-04-26 13:37:08 +02:00
Thijs Schreijer
1a60aeb958 aligned preprocessor switches acros configurations 2013-02-11 17:09:37 +01:00
Marcelo Roberto Jimenez
2bb79879b7 Security fix for CERT issue VU#922681
This patch addresses three possible buffer overflows in function
unique_service_name(). The three issues have the folowing CVE
numbers:

CVE-2012-5958 Issue #2: Stack buffer overflow of Tempbuf
CVE-2012-5959 Issue #4: Stack buffer overflow of Event->UDN
CVE-2012-5960 Issue #8: Stack buffer overflow of Event->UDN

Notice that the following issues have already been dealt by previous
work:

CVE-2012-5961 Issue #1: Stack buffer overflow of Evt->UDN
CVE-2012-5962 Issue #3: Stack buffer overflow of Evt->DeviceType
CVE-2012-5963 Issue #5: Stack buffer overflow of Event->UDN
CVE-2012-5964 Issue #6: Stack buffer overflow of Event->DeviceType
CVE-2012-5965 Issue #7: Stack buffer overflow of Event->DeviceType
(cherry picked from commit f015a132e82239cbf40dcb2346d7bee83685531b)
2012-12-06 15:46:09 -02:00
Marcelo Roberto Jimenez
6a9baf6058 Merge pull request #7 from Tieske/master
updated request for https://github.com/mrjimenez/pupnp/pull/6
2012-11-13 13:17:19 -08:00
Thijs Schreijer
3f37b55ebc exported the UUID function to enable reuse in client applications 2012-10-21 21:26:11 +02:00
Thijs Schreijer
617bda0ab9 updated ChangeLog 2012-10-14 08:56:47 +02:00
Thijs Schreijer
2a0d73aeac Merge branch 'master' of git://github.com/mrjimenez/pupnp 2012-10-14 08:33:19 +02:00
Thijs Schreijer
05e6644894 added scriptsupport switch to release configuration 2012-09-21 22:20:51 +02:00
Thijs Schreijer
d00e494481 Updated parameter to UpnpAcceptSubscriptionExt to a 'const' declaration, this aligns with UpnpAcceptSubscription 2012-07-11 23:18:23 +02:00
Thijs Schreijer
6c2346a526 added debug output to ignore list
changed some project settings to make debugging available (PDB file didn't match)
2012-07-06 02:11:12 +02:00
Thijs Schreijer
77b7ec848f added ipch folder to ignore list
Added documentation/usage of SCRIPTSUPPORT to the README file.
2012-07-03 21:47:47 +02:00