Submitted: Fabrice Fontaine ( ffontaine ) - 2012-03-05 12:33:59 PST
Fp is not closed when an error is raised on membuffer_append or
sock_read.
(cherry picked from commit 30badb44c7)
Submitted: Terry Farnham ( tfarnham ) - 2011-06-23 09:45:54 PDT
Details: The following bit of xml results in a memory leak from the xml
parser:
const char *xmlbuffer="<?xml version=\"1.0\" encoding=\"utf-8\"?>
<root xmlns=\"urn:schemas-upnp-org:device-1-0\" xmlns:dlna=\"urn:schemas-dlna-org:device-1-0\">
<dlna:X_DLNADOC xmlns:dlna=\"urn:schemas-dlna-org:device-1-0\">DMS-1.50</dlna:X_DLNADOC></root>";
When I execute the following code:
IXML_Document *doc = ixmlParseBuffer(xmlbuffer);
ixmlDocument_free(doc);
It results in a memory leak in ixmlparser.c line 2107 where it calls
safe_strdup( newElement->namespaceURI ); It's difficult to figure out why.
(cherry picked from commit d6f1e4112e)
Submitted: Sunil ( sunilangadi ) - 2011-10-02 08:28:47 PDT
Details: I observed crash in the below mentioned log statement in
function upnpfinish(file: upnpapi.c).
UpnpPrintf(UPNP_INFO, API, __FILE__, __LINE__, "Exiting UpnpFinish:
UpnpSdkInit is :%d:\n", UpnpSdkInit);
In particular it was crashing in ithread_self in
UpnpDisplayFileAndLine(file upnpdebug.c) on WIN32.
Moving the call ithread_cleanup_library() below the upnp printf call
mentioned above in function upnpfinish fixed the crash but I couldn't get
to the root of the problem.
The problem was observed on WIN32.
(cherry picked from commit e5887c9036)
Submitted: Fabrice Fontaine ( ffontaine ) - 2012-03-05 06:42:18 PST
gIF_IPV4, gIF_IPV6 and gIF_IPV6_ULA_GUA might be not null terminated.
Moreover, gIF_IPV4 should be 16 characters (INET_ADDRSTRLEN) and not 22
and gIF_IPV6 should be 46 characters (INET6_ADDRSTRLEN) and not 65.
(cherry picked from commit f6e88d5b0a)
Submitted: Fabrice Fontaine ( ffontaine ) - 2012-03-05 05:51:44 PST
Fp is not closed if fseeko(Fp, Instr->RangeOffset, SEEK_CUR) does not return 0.
(cherry picked from commit 5caaf3ad07)
Submitted: Fabrice Fontaine ( ffontaine ) - 2012-03-05 01:55:54 PST
element was not freed if membuffer_append_str(&url_str, "http://") does
not return 0. Moreover addNew was not used.
(cherry picked from commit da244683cf)
Submitted: Fabrice Fontaine ( ffontaine ) - 2012-03-05 01:31:16 PST
Memsetting to 0 some of the structures: finfo in process_request,
job in readFromSSDPSocket, request in http_OpenHttpGetEx, job in
genaNotifyThread, job in genaNotifyAllExt, job in genaNotifyAll,
job in genaInitNotifyExt, job in genaInitNotify, LocalAddr in
getlocalhostname.
(cherry picked from commit 7301f46269)
Submitted: Fabrice Fontaine ( ffontaine ) - 2012-03-05 01:15:34 PST
An out-of-bands access is raised because size of
RespInst->AcceptLanguageHeader is 200 and TmpBuf size is 180.
(cherry picked from commit 69f3fe2330)
Submitted: Fabrice Fontaine ( ffontaine ) - 2012-02-29 02:09:43 PST
newAttrNode is not freed if newAttr->n.nodeValue = strdup(value); returns
NULL or if ixmlElement_setAttributeNodeNS(element, newAttr, NULL) does
not return IXML_SUCCESS.
(cherry picked from commit a79a149e6a)
Submitted: Fabrice Fontaine ( ffontaine ) - 2012-02-28 04:27:54 PST
ixmlFreeDOMString(ActNodeName); is called twice if
ixmlParseBufferEx(ActNodeName, RespNode); does not return IXML_SUCCESS.
(cherry picked from commit 0693adc7dc)
Submitted: Fabrice Fontaine ( ffontaine ) - 2012-02-28 04:01:02 PST
There is a memory leak in ixmlDocument_createElementEx:
newElement->tagName is not freed if
newElement->n.nodeName = strdup(tagName); returns NULL.
(cherry picked from commit 076f8e5be6)
Submitted: Marcelo Roberto jimenez ( mroberto ) - 2012-02-26 16:50:23 PST
src/genlib/net/http/httpparser.c: In function ‘parser_parse_requestline’:
src/genlib/net/http/httpparser.c:1319:28: warning: ‘index’ may be used uninitialized in this function
Submitted: Yoichi NAKAYAMA ( yoichi ) - 2012-02-21 07:06:35 PST
In genaSubscribe() (defined in upnp/src/gena/gena_ctrlpt.c),
ActualSID and EventURL will not be freed if ScheduleGenaAutoRenew
returns UPNP_E_SUCCESS.
This fixes the an issue introduced by the previous fix.
Submitted: Yoichi NAKAYAMA ( yoichi ) - 2012-02-21 07:06:35 PST
In genaSubscribe() (defined in upnp/src/gena/gena_ctrlpt.c),
ActualSID and EventURL will not be freed if ScheduleGenaAutoRenew
returns UPNP_E_SUCCESS.
This fixes the original issue.
(cherry picked from commit bc473d5e68)
Conflicts:
upnp/src/gena/gena_ctrlpt.c
Submitted by Berend Dekens ( Berend Dekens ) - 2012-02-08 06:24:31 PST
In httpparser.c on line 1385 it says that HTTP 1.0 replies are blocked
because the UPnP verfication tool requires this.
I looked in the specs and as far as I can find, one should only be
carefull to send chunked communication to hosts supporting HTTP 1.1.
There is no requirement to support only HTTP 1.1.
The XBMC media server uses the Platinum UPnP library which replies
using HTTP/1.0 messages. As it is now, libupnp returns an error while
trying to parse the response while the response itself is completely
valid.
Is there a requirement in the UPnP 1.0 spec that I missed or is this
restriction self-imposed? And can it be lifted?
-------------------------------------------------------------------
Comment by Fabrice Fontaine:
Hide
Hi,
You're right, this modification should be removed. This version checking
was wrongly added in parser_parse_responseline function.
...
(cherry picked from commit d87c966ec5)
Attached is a patch that resolved an issue I found with a server that
gave its device description URI without a trailing slash (e.g.
`http://127.0.0.1:5555`).
(cherry picked from commit a9c24fc7f3)
Small bug fix on IPv6 Control Point: now CP will also send M-SEARCH on
site-scope address (FF05::C) instead of only sending M-SEARCH on
link-scope (FF02::C).
Setting IPv6 sockets with IPV6_V6ONLY flag to avoid getting IP packets
with IPv4-mapped IPv6 addresses on IPv6 sockets.
(cherry picked from commit 80a65e5f61)
SF Bug tracker, ID: 3469344
Submitted: dimmman ( dimmman ) - 2012-01-04 01:44:29 PST
Details: Looking at the code (v1.6.14, upnptools.c) for UpnpResolveURL
and UpnpResolveURL2 it shows that the ExitFunction: always returns
UPNP_E_SUCCESS.
I'm farily sure it's a simple mistake that should have been "return ret;"
in both cases.
Br,
Jonny
(cherry picked from commit 3b33626e2f)
Adding two new functions (UpnpSendAdvertisementLowPower and
UpnpUnRegisterRootDeviceLowPower) which can be used to specify values
for the three SSDP headers defined by UPnP Low Power. Those headers are
Powerstate, SleepPeriod and RegistrationState.
(cherry picked from commit 98e4f938d6)
Putting all access to ssdpReqSock4 and ssdpReqSock6 under
INCLUDE_CLIENT_APIS compilation flag to be able to compile when
client part of library is disable.
(cherry picked from commit 0996d23318)
Add a new UpnpRegisterRootDevice4 which allow user to specify a
description URL to be returned for legacy CPs (for example, CPs
searching for a v1 when the device is v2). Most of those CPs does not
work if they found a v2 in the XML description, so this new function is
only used to solve interoperability issues.
(cherry picked from commit 11f9a2bafe)
