current/SOURCES/libupnp-1.6.6-VU-922681.patch

Fix for VU#922681

This includes fix for various CVEs by more or less backporting the whole unique_service_name() function from 1.6.18.

CVE-2012-5961 Issue #1: Stack buffer overflow of Evt->UDN
CVE-2012-5958 Issue #2: Stack buffer overflow of Tempbuf
CVE-2012-5962 Issue #3: Stack buffer overflow of Evt->DeviceType
CVE-2012-5959 Issue #4: Stack buffer overflow of Event->UDN
CVE-2012-5960 Issue #8: Stack buffer overflow of Event->UDN
CVE-2012-5963 Issue #5: Stack buffer overflow of Event->UDN
CVE-2012-5964 Issue #6: Stack buffer overflow of Event->DeviceType
CVE-2012-5965 Issue #7: Stack buffer overflow of Event->DeviceType

--- a/upnp/src/ssdp/ssdp_server.c
+++ b/upnp/src/ssdp/ssdp_server.c
@@ -412,7 +412,7 @@ int unique_service_name(IN char *cmd, IN
     char *ptr2 = NULL;
     char *ptr3 = NULL;
     int CommandFound = 0;
-    int length = 0;
+    size_t n = (size_t)0;
 
     if( ( TempPtr = strstr( cmd, "uuid:schemas" ) ) != NULL ) {
         ptr1 = strstr( cmd, ":device" );
@@ -429,16 +429,23 @@ int unique_service_name(IN char *cmd, IN
         }
 
         if( ptr3 != NULL ) {
-            sprintf( Evt->UDN, "uuid:%s", ptr3 + 1 );
+            if (strlen("uuid:") + strlen(ptr3 + 1) >= sizeof Evt->UDN)
+                return -1;
+            snprintf(Evt->UDN, sizeof Evt->UDN, "uuid:%s", ptr3 + 1);
         } else {
             return -1;
         }
 
         ptr1 = strstr( cmd, ":" );
         if( ptr1 != NULL ) {
-            strncpy( TempBuf, ptr1, ptr3 - ptr1 );
-            TempBuf[ptr3 - ptr1] = '\0';
-            sprintf( Evt->DeviceType, "urn%s", TempBuf );
+            n = (size_t)ptr3 - (size_t)ptr1;
+            n = n >= sizeof TempBuf ? sizeof TempBuf - 1 : n;
+            strncpy(TempBuf, ptr1, n);
+            TempBuf[n] = '\0';
+            if (strlen("urn") + strlen(TempBuf) >= sizeof(Evt->DeviceType))
+                return -1;
+            snprintf(Evt->DeviceType, sizeof(Evt->DeviceType),
+                "urn%s", TempBuf);
         } else {
             return -1;
         }
@@ -447,10 +454,13 @@ int unique_service_name(IN char *cmd, IN
 
     if( ( TempPtr = strstr( cmd, "uuid" ) ) != NULL ) {
         if( ( Ptr = strstr( cmd, "::" ) ) != NULL ) {
-            strncpy( Evt->UDN, TempPtr, Ptr - TempPtr );
-            Evt->UDN[Ptr - TempPtr] = '\0';
+            n = (size_t)Ptr - (size_t)TempPtr;
+            n = n >= sizeof Evt->UDN ? sizeof Evt->UDN - 1 : n;
+            strncpy(Evt->UDN, TempPtr, n);
+            Evt->UDN[n] = '\0';
         } else {
-            strcpy( Evt->UDN, TempPtr );
+            memset(Evt->UDN, 0, sizeof(Evt->UDN));
+            strncpy(Evt->UDN, TempPtr, sizeof Evt->UDN - 1);
         }
         CommandFound = 1;
     }
@@ -458,7 +468,9 @@ int unique_service_name(IN char *cmd, IN
     if( strstr( cmd, "urn:" ) != NULL
         && strstr( cmd, ":service:" ) != NULL ) {
         if( ( TempPtr = strstr( cmd, "urn" ) ) != NULL ) {
-            strcpy( Evt->ServiceType, TempPtr );
+            memset(Evt->ServiceType, 0, sizeof Evt->ServiceType);
+            strncpy(Evt->ServiceType, TempPtr,
+                sizeof Evt->ServiceType - 1);
             CommandFound = 1;
         }
     }
@@ -466,7 +478,9 @@ int unique_service_name(IN char *cmd, IN
     if( strstr( cmd, "urn:" ) != NULL
         && strstr( cmd, ":device:" ) != NULL ) {
         if( ( TempPtr = strstr( cmd, "urn" ) ) != NULL ) {
-            strcpy( Evt->DeviceType, TempPtr );
+            memset(Evt->DeviceType, 0, sizeof Evt->DeviceType);
+            strncpy(Evt->DeviceType, TempPtr,
+                sizeof Evt->DeviceType - 1);
             CommandFound = 1;
         }
     }
@@ -474,9 +488,10 @@ int unique_service_name(IN char *cmd, IN
     if( ( TempPtr = strstr( cmd, "::upnp:rootdevice" ) ) != NULL ) {
         /* Everything before "::upnp::rootdevice" is the UDN. */
         if( TempPtr != cmd ) {
-            length = TempPtr - cmd;
-            strncpy(Evt->UDN, cmd, length);
-            Evt->UDN[length] = 0;
+            n = (size_t)TempPtr - (size_t)cmd;
+            n = n >= sizeof Evt->UDN ? sizeof Evt->UDN - 1 : n;
+            strncpy(Evt->UDN, cmd, n);
+            Evt->UDN[n] = 0;
             CommandFound = 1;
         }
     }
1	luigiwalser	394768	Fix for VU#922681
2
3			This includes fix for various CVEs by more or less backporting the whole unique_service_name() function from 1.6.18.
4
5			CVE-2012-5961 Issue #1: Stack buffer overflow of Evt->UDN
6			CVE-2012-5958 Issue #2: Stack buffer overflow of Tempbuf
7			CVE-2012-5962 Issue #3: Stack buffer overflow of Evt->DeviceType
8			CVE-2012-5959 Issue #4: Stack buffer overflow of Event->UDN
9			CVE-2012-5960 Issue #8: Stack buffer overflow of Event->UDN
10			CVE-2012-5963 Issue #5: Stack buffer overflow of Event->UDN
11			CVE-2012-5964 Issue #6: Stack buffer overflow of Event->DeviceType
12			CVE-2012-5965 Issue #7: Stack buffer overflow of Event->DeviceType
13
14			--- a/upnp/src/ssdp/ssdp_server.c
15			+++ b/upnp/src/ssdp/ssdp_server.c
16			@@ -412,7 +412,7 @@ int unique_service_name(IN char *cmd, IN
17			char *ptr2 = NULL;
18			char *ptr3 = NULL;
19			int CommandFound = 0;
20			- int length = 0;
21			+ size_t n = (size_t)0;
22
23			if( ( TempPtr = strstr( cmd, "uuid:schemas" ) ) != NULL ) {
24			ptr1 = strstr( cmd, ":device" );
25			@@ -429,16 +429,23 @@ int unique_service_name(IN char *cmd, IN
26			}
27
28			if( ptr3 != NULL ) {
29			- sprintf( Evt->UDN, "uuid:%s", ptr3 + 1 );
30			+ if (strlen("uuid:") + strlen(ptr3 + 1) >= sizeof Evt->UDN)
31			+ return -1;
32			+ snprintf(Evt->UDN, sizeof Evt->UDN, "uuid:%s", ptr3 + 1);
33			} else {
34			return -1;
35			}
36
37			ptr1 = strstr( cmd, ":" );
38			if( ptr1 != NULL ) {
39			- strncpy( TempBuf, ptr1, ptr3 - ptr1 );
40			- TempBuf[ptr3 - ptr1] = '\0';
41			- sprintf( Evt->DeviceType, "urn%s", TempBuf );
42			+ n = (size_t)ptr3 - (size_t)ptr1;
43			+ n = n >= sizeof TempBuf ? sizeof TempBuf - 1 : n;
44			+ strncpy(TempBuf, ptr1, n);
45			+ TempBuf[n] = '\0';
46			+ if (strlen("urn") + strlen(TempBuf) >= sizeof(Evt->DeviceType))
47			+ return -1;
48			+ snprintf(Evt->DeviceType, sizeof(Evt->DeviceType),
49			+ "urn%s", TempBuf);
50			} else {
51			return -1;
52			}
53			@@ -447,10 +454,13 @@ int unique_service_name(IN char *cmd, IN
54
55			if( ( TempPtr = strstr( cmd, "uuid" ) ) != NULL ) {
56			if( ( Ptr = strstr( cmd, "::" ) ) != NULL ) {
57			- strncpy( Evt->UDN, TempPtr, Ptr - TempPtr );
58			- Evt->UDN[Ptr - TempPtr] = '\0';
59			+ n = (size_t)Ptr - (size_t)TempPtr;
60			+ n = n >= sizeof Evt->UDN ? sizeof Evt->UDN - 1 : n;
61			+ strncpy(Evt->UDN, TempPtr, n);
62			+ Evt->UDN[n] = '\0';
63			} else {
64			- strcpy( Evt->UDN, TempPtr );
65			+ memset(Evt->UDN, 0, sizeof(Evt->UDN));
66			+ strncpy(Evt->UDN, TempPtr, sizeof Evt->UDN - 1);
67			}
68			CommandFound = 1;
69			}
70			@@ -458,7 +468,9 @@ int unique_service_name(IN char *cmd, IN
71			if( strstr( cmd, "urn:" ) != NULL
72			&& strstr( cmd, ":service:" ) != NULL ) {
73			if( ( TempPtr = strstr( cmd, "urn" ) ) != NULL ) {
74			- strcpy( Evt->ServiceType, TempPtr );
75			+ memset(Evt->ServiceType, 0, sizeof Evt->ServiceType);
76			+ strncpy(Evt->ServiceType, TempPtr,
77			+ sizeof Evt->ServiceType - 1);
78			CommandFound = 1;
79			}
80			}
81			@@ -466,7 +478,9 @@ int unique_service_name(IN char *cmd, IN
82			if( strstr( cmd, "urn:" ) != NULL
83			&& strstr( cmd, ":device:" ) != NULL ) {
84			if( ( TempPtr = strstr( cmd, "urn" ) ) != NULL ) {
85			- strcpy( Evt->DeviceType, TempPtr );
86			+ memset(Evt->DeviceType, 0, sizeof Evt->DeviceType);
87			+ strncpy(Evt->DeviceType, TempPtr,
88			+ sizeof Evt->DeviceType - 1);
89			CommandFound = 1;
90			}
91			}
92			@@ -474,9 +488,10 @@ int unique_service_name(IN char *cmd, IN
93			if( ( TempPtr = strstr( cmd, "::upnp:rootdevice" ) ) != NULL ) {
94			/* Everything before "::upnp::rootdevice" is the UDN. */
95			if( TempPtr != cmd ) {
96			- length = TempPtr - cmd;
97			- strncpy(Evt->UDN, cmd, length);
98			- Evt->UDN[length] = 0;
99			+ n = (size_t)TempPtr - (size_t)cmd;
100			+ n = n >= sizeof Evt->UDN ? sizeof Evt->UDN - 1 : n;
101			+ strncpy(Evt->UDN, cmd, n);
102			+ Evt->UDN[n] = 0;
103			CommandFound = 1;
104			}
105			}