Commit Graph

68 Commits

Author SHA1 Message Date
Philipp Matthias Hahn
848d66e69d Fix broken strncat(..., strlen())
commit 0edaf3361d replaced several
malloc()+strcat() sequences with strncat() using strlen() on the
*source* string.
This is still vulnerable to overwrite the *target* buffer.

While reviewing this commit change the code to directly use snprintf()
for concatenating strings and check the length of the target buffer.

Signed-off-by: Marcelo Roberto Jimenez <mroberto@users.sourceforge.net>
2014-09-22 11:19:25 -03:00
Peng
9a9c4e829e Avoid malicious client exploit to exhaust the device's memory
Suppose the UPnP device is listening on 192.168.1.102:49152. Use the following to send
garbage bytes to the device:
while true; do echo "\""; done | netcat 192.168.1.102 49152

The device just keeps receiving these bytes and its memory usage keeps growing.
Malicious client may exploit it to exhaust the device's memory.

The attached patch eliminates this possibility.
2013-09-02 14:56:11 -03:00
Anoop Mohan
6db2271ac3 Fixes a bug in non blocking connect call
This patch fixes a bug in non blocking connect call where the sock
option length for SO_ERROR was passed as 0 instead of sizeof(int).
2012-05-25 11:59:21 -03:00
Yoichi NAKAYAMA
39dfad2cba Fix problems detected as dead assignment warning by clang scan-build.
Wrong assignment by shutdown result hides the real error code
of NewRequestHandler() in ssdp_device.c.
Fix return code description of NewRequestHandler().
Handle return code from ithread_create in sample applications.
Remove unused assignments.
2012-04-21 11:38:20 +09:00
Yoichi NAKAYAMA
34a77cc095 SF Bug Tracker id 3507819 - Use of thread-unsafe gmtime() in httpreadwrite.c
Define http_gmtime_r and web_server_asctime_r and use it.
Those prefix are added since pthread for Win32 already
has macro gmtime_r and asctime_r.
2012-04-06 03:13:43 +09:00
Fabrice Fontaine
777c936f4c Compilation optimisation
Do not compile the code related to the webserver in http_SendMessage
when --disable-webserver is set
2012-04-03 16:11:31 +02:00
Fabrice Fontaine
49af91fe48 Add --enable-unspecified_server
Add --enable-unspecified_server configure option to set to "Unspecified"
the OS name, OS version, product name and product version normally
contained in the SERVER header as this could be used by an attacker.
2012-03-30 21:57:51 +02:00
Fabrice Fontaine
804088d859 Remove implicit casts
Cast parameters of htonl in uint32_t in IN6_IS_ADDR_GLOBAL and
IN6_IS_ADDR_ULA definitions.
Remove comparison with 0 in while statement of vfmatch,
http_SendMessage and http_MakeMessage.
2012-03-24 22:20:18 +01:00
Fabrice Fontaine
a04c36f47e Replace sprintf by snprintf in http_WriteHttpPost
Replace sprintf by snprintf in http_WriteHttpPost to avoid buffer
overflow.
2012-03-18 16:14:41 +01:00
Fabrice Fontaine
e13ffe3bf8 Add infoSize parameter to get_sdk_info
Add infoSize parameter to get_sdk_info function to replace sprintf call
by a snprintf call.
2012-03-18 15:23:59 +01:00
Fabrice Fontaine
cb07623dde Add more explicit casts and remove dead code
Comment unused SERVER from DeviceShutdown.
Comment unused max from parse_hostport.
Comment unused nodeptr from ixmlNode_cloneDoc.
Comment unused newNode from Parser_hasDefaultNamespace.
Comment unused Parser_parseReference function
Check return code of shutdown and display an error if needed.
2012-03-16 11:30:42 +01:00
Marcelo Roberto Jimenez
c9f3e26f24 Fix for compiler warning messages
src/genlib/net/http/httpreadwrite.c: In function ‘http_Download’:
src/genlib/net/http/httpreadwrite.c:790:5: warning: format ‘%d’ expects
type ‘int’, but argument 6 has type ‘size_t’
src/genlib/net/http/httpreadwrite.c:790:5: warning: format ‘%d’ expects
type ‘int’, but argument 7 has type ‘size_t’
(cherry picked from commit 5969530dcf)
2012-03-15 11:50:48 -03:00
Fabrice Fontaine
b116d10f37 Improve upnp/genlib/net
Change ret_code from int to parse_status_t in match.
Set back return code of ReadResponseLineAndHeaders from parse_status_t
to int as this function can return UPNP_E_BAD_HTTPMSG. As a result, do
not cast the result of this function into parse_status_t in
http_OpenHttpGetProxy and http_OpenHttpGetEx.
Use switch with PARSE_OK in parsetools.c.
Add missing explicit casts of integer constants in uri.c and
httpreadwrite.c.
Use switch, int and sa_family_t with AF_INET in uri.c.
Print an error in http_Download if realloc failed.
2012-03-15 09:31:44 +01:00
Fabrice Fontaine
05fb3f8026 Fix missing break in http_RecvMessage
There was a missing break in PARSE_INCOMPLETE_ENTITY due to commit
2eb3e069ba.
2012-03-14 18:43:14 +01:00
Fabrice Fontaine
c40d2bc0c9 Remove more implicit casts in upnp part
Remove more "implicit integer or enum conversions" errors as well as
dead code.
2012-03-11 22:45:10 +01:00
Fabrice Fontaine
2eb3e069ba Remove more implicit casts in upnp part
Remove more "implicit integer or enum conversions" as well as memset
before snprintf.
2012-03-10 22:52:57 +01:00
Fabrice Fontaine
c67187ac94 Remove some of the implicit cast in upnp part
Remove some of the "implicit integer or enum conversions" as well as
some access to NULL reference in upnp part.
2012-03-10 20:44:49 +01:00
Yoichi NAKAYAMA
d952ebfb44 Handle overflow in http_SendMessage. 2012-03-11 03:33:14 +09:00
Fabrice Fontaine
e722d8c375 SF Bug Tracker id 3499781 - msvc doesn't have snprintf
Submitted: Yoichi NAKAYAMA ( yoichi ) - 2012-03-08 10:18:39 PST

97a17ff5ad commit breaks build on
windows/msvc since there is no snprintf.

Note:
* Some existing sources use _snprintf when WIN32 is defined, but its
behavior is a bit different from C99 snprintf.
* snprintf does terminate the buffer, so the commit (use buffer size
minus 1 as argument) changes the behavior at the boundary.
* Truncation might be better than crash in some cases. But it may
result in not good.
2012-03-09 15:02:49 +01:00
Fabrice Fontaine
97a17ff5ad Remove most of strcpy, sprintf and strcat
Replace strcpy, sprintf and strcat by strncpy, snprintf and strncat to
avoid buffer overflows.
2012-03-08 14:07:27 +01:00
Fabrice Fontaine
5caaf3ad07 SF Bug Tracker id 3497009 - Resource leak in http_SendMessage
Submitted: Fabrice Fontaine ( ffontaine ) - 2012-03-05 05:51:44 PST

Fp is not closed if fseeko(Fp, Instr->RangeOffset, SEEK_CUR) does not return 0.
2012-03-05 17:12:15 +01:00
Fabrice Fontaine
7301f46269 SF Bug Tracker id 3496938 - Missing structures initialisation in some functions
Submitted: Fabrice Fontaine ( ffontaine ) - 2012-03-05 01:31:16 PST

Memsetting to 0 some of the structures: finfo in process_request,
job in readFromSSDPSocket, request in http_OpenHttpGetEx, job in
genaNotifyThread, job in genaNotifyAllExt, job in genaNotifyAll,
job in genaInitNotifyExt, job in genaInitNotify, LocalAddr in
getlocalhostname.
2012-03-05 11:52:22 +01:00
Edwin Stearns
a9c24fc7f3 Be nice to a server that returns its URL without a trailing slash
Attached is a patch that resolved an issue I found with a server that
gave its device description URI without a trailing slash (e.g.
`http://127.0.0.1:5555`).
2012-02-18 11:35:21 -02:00
Iain Denniston
92ea719804 Fixes for compilation under Windows (specifically MSVC). Also added MSVC supported "_inline", and fixed some WIN32 specific warnings. 2011-04-02 23:47:00 -03:00
Iain Denniston
fed316ff3e Several fixes to correctly use SOCKET (and related) types instead of non-portable variations. 2011-04-02 23:38:53 -03:00
Marcelo Roberto Jimenez
3a9ae348bc Created the macros PRIzd and PRIzx to deal with MSVC lack of C99.
Thanks to Iain Denniston for pointing it out.
2011-03-11 17:20:17 -03:00
Chandra Penke
cb1188d2bc Fixes chunked transfer encoding in HTTP client API 2011-01-15 21:11:24 -02:00
Marcelo Roberto Jimenez
39fd869db8 Leave just one call to gmtime() in http_MakeMessage(). 2011-01-02 22:36:13 -02:00
Marcelo Roberto Jimenez
8997e7fff6 Make sure va_end() is called in http_MakeMessage(). 2011-01-02 22:31:10 -02:00
Marcelo Roberto Jimenez
f67ed1949b Less include file mess and doxygenation. 2010-12-19 19:02:42 -02:00
Marcelo Roberto Jimenez
04d64a893b Doxygenation of SSDP library. 2010-12-19 13:41:58 -02:00
Marcelo Roberto Jimenez
462505ff62 Use the new include files UpnpIntTypes.h, UpnpStdInt.h and UpnpUniStd.h.
Trying to keep platform dependency on the headers and clean the main
code a little bit.
2010-12-18 17:08:36 -02:00
Marcelo Roberto Jimenez
9a28fcc95b Fixes a bug introduced in a previous commit in http_SendMessage.
The variable num_read was beeing used without beeing initialized.

Also, clean up the function return path and make sure va_end()
is beeing called.
2010-11-24 11:26:00 -02:00
Fabrice Fontaine
2c3bce13bd Major bug fix in http_SendMessage.
Currently, http_SendMessage was not able to write to write a buffer
due to a bad use of file_buf instead of buf. This bug was introduced by
the 0197-Doxygen-reformating-compiler-warnings patch.
2010-11-24 08:21:41 -02:00
Marcelo Roberto Jimenez
c21a67f2d1 Doxygen, reformating, compiler warnings. 2010-11-21 21:40:07 -02:00
Marcelo Roberto Jimenez
594c611a33 gena: fix several compiler warnings. 2010-11-20 13:48:50 -02:00
Marcelo Roberto Jimenez
5d6bcabd45 Removes C++ style comments. 2010-11-16 03:14:12 -02:00
Marcelo Roberto Jimenez
2dd19e5894 ReadResponseLineAndHeaders() is static.
(cherry picked from commit eb5db65692)
2010-11-11 22:00:27 -02:00
Fabrice Fontaine
32cffb5bb5 Add --disable-blocking-tcp-connections flag.
Currently, pupnp is using a blocking connect to sends GENA
notifications. As a result, when there is a lot of notifications with
CPs which were disconnected without unsusbcribing, all the pupnp
threads are blocked for 20s (timeout). To correct this issue, this
patch replace the call to connect with a call to private_connect and add
a compilation flag to disable blocking TCP connections, so if we are not
able to connect to the CP, the notification is lost.
2010-11-11 21:40:22 -02:00
Stefan Sommerfeld
508b782c79 Fixed some typos. 2010-11-07 18:42:44 -02:00
Stefan Sommerfeld
fcb5e7c438 Fix for size_t related warnings. 2010-11-07 18:31:48 -02:00
Stefan Sommerfeld
4b47e6a51d Fix for mixed usage of SOCKET and int. 2010-11-07 17:52:14 -02:00
Marcelo Roberto Jimenez
5b40cfa272 Misplaced declaration of UpnpCloseSocket. 2010-10-15 12:17:15 -03:00
Fabrice Fontaine
d2238615e3 Add Content-Language iff Accept-Language
Add Content-Language header in the response if and only if there is an Accept-Language header in the request.
2010-09-21 13:50:29 -03:00
Fabrice Fontaine
2fcbe6df52 Addition of WEB_SERVER_CONTENT_LANGUAGE parameter
This patch adds the WEB_SERVER_CONTENT_LANGUAGE parameter so the user can specify
the language used by the device during Description and Presentation steps of UPnP
through the HTTP CONTENT-LANGUAGE header.
By default, the WEB_SERVER_CONTENT_LANGUAGE is an empty string so no
CONTENT-LANGUAGE is added.
2010-09-21 08:48:40 -03:00
David Hoeung
67009170d1 Timeout for TCP connect
Hi,

I've made some modification to the libupnp v1.6.5
I've add a timeout for each TCP connect.

It is very useful when an UPnP device stop working and do not accept
connection for an UPnP action.

Modifications are only located in
upnp/src/genlib/net/http/httpreadwrite.c

For every TCP connection, I set the socket to non-blocking, perform
connect,
check result and wait during a timeout if necessary, then reset the
socket to blocking.

Please see this patch in attached file.

I hope it helps.

Regards,

David Hoeung
Consultant Extia
Orange Labs R&D

----
2010-09-11 00:17:55 -03:00
Marcelo Roberto Jimenez
4657e57766 Using UpnpReadHttpGet to download large files causes the application to
crash. This happens when the file being downloaded exceeds the device
memory - entirely possible when transferring video files.
The programmatic cause is that the logic implemented in the function
http_ReadHttpGet (which UpnpReadHttpGet calls) reads the entire file
into memory. The fix modifies the existing logic to discard data after
it's been read; there's no reason to keep it around since the caller
of UpnpReadHttpGet already has a copy of it.

This issue exists in 1.6.6 as well as the latest sources.

Patch submitted by Chandra (inactiveneurons).
2010-09-07 22:15:21 -03:00
Marcelo Roberto Jimenez
21660334e4 In the latest sources, http_RequestAndResponse and other methods that
use connect() are broken. More specifically, connect() in these methods
is returning with an EINVAL. The programatic cause is that the address_len
argument passed to connect() is different in IPV4 vs IPV6 (as described in:
http://www.opengroup.org/onlinepubs/009695399/functions/connect.html).
The current code always uses the IPV6 size. The fix modifies each use of
connect() to use the correct size based on the address family being used.

Patch submitted by Chandra (inactiveneurons).
2010-09-07 21:56:53 -03:00
Marcelo Roberto Jimenez
5eb55e0fb2 Backport of svn revision 504:
SF Patch Tracker [ 2969188 ] 1.8.0: patch for FreeBSD compilation
	Submitted By: Nick Leverton (leveret)
	Fix the order of header inclusion for FreeBSD.


git-svn-id: https://pupnp.svn.sourceforge.net/svnroot/pupnp/branches/branch-1.6.x@509 119443c7-1b9e-41f8-b6fc-b9c35fce742c
2010-03-21 15:42:40 +00:00
Marcelo Roberto Jimenez
bcf5a5c5e0 Backport: Debug code for http_RecvMessage().
git-svn-id: https://pupnp.svn.sourceforge.net/svnroot/pupnp/branches/branch-1.6.x@450 119443c7-1b9e-41f8-b6fc-b9c35fce742c
2008-07-10 04:15:36 +00:00