commit 0edaf3361d replaced several
malloc()+strcat() sequences with strncat() using strlen() on the
*source* string.
This is still vulnerable to overwrite the *target* buffer.
While reviewing this commit change the code to directly use snprintf()
for concatenating strings and check the length of the target buffer.
Signed-off-by: Marcelo Roberto Jimenez <mroberto@users.sourceforge.net>
Suppose the UPnP device is listening on 192.168.1.102:49152. Use the following to send
garbage bytes to the device:
while true; do echo "\""; done | netcat 192.168.1.102 49152
The device just keeps receiving these bytes and its memory usage keeps growing.
Malicious client may exploit it to exhaust the device's memory.
The attached patch eliminates this possibility.
Wrong assignment by shutdown result hides the real error code
of NewRequestHandler() in ssdp_device.c.
Fix return code description of NewRequestHandler().
Handle return code from ithread_create in sample applications.
Remove unused assignments.
Add --enable-unspecified_server configure option to set to "Unspecified"
the OS name, OS version, product name and product version normally
contained in the SERVER header as this could be used by an attacker.
Cast parameters of htonl in uint32_t in IN6_IS_ADDR_GLOBAL and
IN6_IS_ADDR_ULA definitions.
Remove comparison with 0 in while statement of vfmatch,
http_SendMessage and http_MakeMessage.
Comment unused SERVER from DeviceShutdown.
Comment unused max from parse_hostport.
Comment unused nodeptr from ixmlNode_cloneDoc.
Comment unused newNode from Parser_hasDefaultNamespace.
Comment unused Parser_parseReference function
Check return code of shutdown and display an error if needed.
src/genlib/net/http/httpreadwrite.c: In function ‘http_Download’:
src/genlib/net/http/httpreadwrite.c:790:5: warning: format ‘%d’ expects
type ‘int’, but argument 6 has type ‘size_t’
src/genlib/net/http/httpreadwrite.c:790:5: warning: format ‘%d’ expects
type ‘int’, but argument 7 has type ‘size_t’
(cherry picked from commit 5969530dcf)
Change ret_code from int to parse_status_t in match.
Set back return code of ReadResponseLineAndHeaders from parse_status_t
to int as this function can return UPNP_E_BAD_HTTPMSG. As a result, do
not cast the result of this function into parse_status_t in
http_OpenHttpGetProxy and http_OpenHttpGetEx.
Use switch with PARSE_OK in parsetools.c.
Add missing explicit casts of integer constants in uri.c and
httpreadwrite.c.
Use switch, int and sa_family_t with AF_INET in uri.c.
Print an error in http_Download if realloc failed.
Submitted: Yoichi NAKAYAMA ( yoichi ) - 2012-03-08 10:18:39 PST
97a17ff5ad commit breaks build on
windows/msvc since there is no snprintf.
Note:
* Some existing sources use _snprintf when WIN32 is defined, but its
behavior is a bit different from C99 snprintf.
* snprintf does terminate the buffer, so the commit (use buffer size
minus 1 as argument) changes the behavior at the boundary.
* Truncation might be better than crash in some cases. But it may
result in not good.
Submitted: Fabrice Fontaine ( ffontaine ) - 2012-03-05 01:31:16 PST
Memsetting to 0 some of the structures: finfo in process_request,
job in readFromSSDPSocket, request in http_OpenHttpGetEx, job in
genaNotifyThread, job in genaNotifyAllExt, job in genaNotifyAll,
job in genaInitNotifyExt, job in genaInitNotify, LocalAddr in
getlocalhostname.
Attached is a patch that resolved an issue I found with a server that
gave its device description URI without a trailing slash (e.g.
`http://127.0.0.1:5555`).
Currently, http_SendMessage was not able to write to write a buffer
due to a bad use of file_buf instead of buf. This bug was introduced by
the 0197-Doxygen-reformating-compiler-warnings patch.
Currently, pupnp is using a blocking connect to sends GENA
notifications. As a result, when there is a lot of notifications with
CPs which were disconnected without unsusbcribing, all the pupnp
threads are blocked for 20s (timeout). To correct this issue, this
patch replace the call to connect with a call to private_connect and add
a compilation flag to disable blocking TCP connections, so if we are not
able to connect to the CP, the notification is lost.
This patch adds the WEB_SERVER_CONTENT_LANGUAGE parameter so the user can specify
the language used by the device during Description and Presentation steps of UPnP
through the HTTP CONTENT-LANGUAGE header.
By default, the WEB_SERVER_CONTENT_LANGUAGE is an empty string so no
CONTENT-LANGUAGE is added.
Hi,
I've made some modification to the libupnp v1.6.5
I've add a timeout for each TCP connect.
It is very useful when an UPnP device stop working and do not accept
connection for an UPnP action.
Modifications are only located in
upnp/src/genlib/net/http/httpreadwrite.c
For every TCP connection, I set the socket to non-blocking, perform
connect,
check result and wait during a timeout if necessary, then reset the
socket to blocking.
Please see this patch in attached file.
I hope it helps.
Regards,
David Hoeung
Consultant Extia
Orange Labs R&D
----
crash. This happens when the file being downloaded exceeds the device
memory - entirely possible when transferring video files.
The programmatic cause is that the logic implemented in the function
http_ReadHttpGet (which UpnpReadHttpGet calls) reads the entire file
into memory. The fix modifies the existing logic to discard data after
it's been read; there's no reason to keep it around since the caller
of UpnpReadHttpGet already has a copy of it.
This issue exists in 1.6.6 as well as the latest sources.
Patch submitted by Chandra (inactiveneurons).
use connect() are broken. More specifically, connect() in these methods
is returning with an EINVAL. The programatic cause is that the address_len
argument passed to connect() is different in IPV4 vs IPV6 (as described in:
http://www.opengroup.org/onlinepubs/009695399/functions/connect.html).
The current code always uses the IPV6 size. The fix modifies each use of
connect() to use the correct size based on the address family being used.
Patch submitted by Chandra (inactiveneurons).