/[packages]/updates/1/libupnp/current/SOURCES/libupnp-1.6.6-VU-922681.patch
ViewVC logotype

Contents of /updates/1/libupnp/current/SOURCES/libupnp-1.6.6-VU-922681.patch

Parent Directory Parent Directory | Revision Log Revision Log


Revision 394768 - (show annotations) (download)
Wed Feb 6 00:06:54 2013 UTC (8 years, 5 months ago) by luigiwalser
File size: 4244 byte(s)
add patch from debian to fix VU-922681
1 Fix for VU#922681
2
3 This includes fix for various CVEs by more or less backporting the whole unique_service_name() function from 1.6.18.
4
5 CVE-2012-5961 Issue #1: Stack buffer overflow of Evt->UDN
6 CVE-2012-5958 Issue #2: Stack buffer overflow of Tempbuf
7 CVE-2012-5962 Issue #3: Stack buffer overflow of Evt->DeviceType
8 CVE-2012-5959 Issue #4: Stack buffer overflow of Event->UDN
9 CVE-2012-5960 Issue #8: Stack buffer overflow of Event->UDN
10 CVE-2012-5963 Issue #5: Stack buffer overflow of Event->UDN
11 CVE-2012-5964 Issue #6: Stack buffer overflow of Event->DeviceType
12 CVE-2012-5965 Issue #7: Stack buffer overflow of Event->DeviceType
13
14 --- a/upnp/src/ssdp/ssdp_server.c
15 +++ b/upnp/src/ssdp/ssdp_server.c
16 @@ -412,7 +412,7 @@ int unique_service_name(IN char *cmd, IN
17 char *ptr2 = NULL;
18 char *ptr3 = NULL;
19 int CommandFound = 0;
20 - int length = 0;
21 + size_t n = (size_t)0;
22
23 if( ( TempPtr = strstr( cmd, "uuid:schemas" ) ) != NULL ) {
24 ptr1 = strstr( cmd, ":device" );
25 @@ -429,16 +429,23 @@ int unique_service_name(IN char *cmd, IN
26 }
27
28 if( ptr3 != NULL ) {
29 - sprintf( Evt->UDN, "uuid:%s", ptr3 + 1 );
30 + if (strlen("uuid:") + strlen(ptr3 + 1) >= sizeof Evt->UDN)
31 + return -1;
32 + snprintf(Evt->UDN, sizeof Evt->UDN, "uuid:%s", ptr3 + 1);
33 } else {
34 return -1;
35 }
36
37 ptr1 = strstr( cmd, ":" );
38 if( ptr1 != NULL ) {
39 - strncpy( TempBuf, ptr1, ptr3 - ptr1 );
40 - TempBuf[ptr3 - ptr1] = '\0';
41 - sprintf( Evt->DeviceType, "urn%s", TempBuf );
42 + n = (size_t)ptr3 - (size_t)ptr1;
43 + n = n >= sizeof TempBuf ? sizeof TempBuf - 1 : n;
44 + strncpy(TempBuf, ptr1, n);
45 + TempBuf[n] = '\0';
46 + if (strlen("urn") + strlen(TempBuf) >= sizeof(Evt->DeviceType))
47 + return -1;
48 + snprintf(Evt->DeviceType, sizeof(Evt->DeviceType),
49 + "urn%s", TempBuf);
50 } else {
51 return -1;
52 }
53 @@ -447,10 +454,13 @@ int unique_service_name(IN char *cmd, IN
54
55 if( ( TempPtr = strstr( cmd, "uuid" ) ) != NULL ) {
56 if( ( Ptr = strstr( cmd, "::" ) ) != NULL ) {
57 - strncpy( Evt->UDN, TempPtr, Ptr - TempPtr );
58 - Evt->UDN[Ptr - TempPtr] = '\0';
59 + n = (size_t)Ptr - (size_t)TempPtr;
60 + n = n >= sizeof Evt->UDN ? sizeof Evt->UDN - 1 : n;
61 + strncpy(Evt->UDN, TempPtr, n);
62 + Evt->UDN[n] = '\0';
63 } else {
64 - strcpy( Evt->UDN, TempPtr );
65 + memset(Evt->UDN, 0, sizeof(Evt->UDN));
66 + strncpy(Evt->UDN, TempPtr, sizeof Evt->UDN - 1);
67 }
68 CommandFound = 1;
69 }
70 @@ -458,7 +468,9 @@ int unique_service_name(IN char *cmd, IN
71 if( strstr( cmd, "urn:" ) != NULL
72 && strstr( cmd, ":service:" ) != NULL ) {
73 if( ( TempPtr = strstr( cmd, "urn" ) ) != NULL ) {
74 - strcpy( Evt->ServiceType, TempPtr );
75 + memset(Evt->ServiceType, 0, sizeof Evt->ServiceType);
76 + strncpy(Evt->ServiceType, TempPtr,
77 + sizeof Evt->ServiceType - 1);
78 CommandFound = 1;
79 }
80 }
81 @@ -466,7 +478,9 @@ int unique_service_name(IN char *cmd, IN
82 if( strstr( cmd, "urn:" ) != NULL
83 && strstr( cmd, ":device:" ) != NULL ) {
84 if( ( TempPtr = strstr( cmd, "urn" ) ) != NULL ) {
85 - strcpy( Evt->DeviceType, TempPtr );
86 + memset(Evt->DeviceType, 0, sizeof Evt->DeviceType);
87 + strncpy(Evt->DeviceType, TempPtr,
88 + sizeof Evt->DeviceType - 1);
89 CommandFound = 1;
90 }
91 }
92 @@ -474,9 +488,10 @@ int unique_service_name(IN char *cmd, IN
93 if( ( TempPtr = strstr( cmd, "::upnp:rootdevice" ) ) != NULL ) {
94 /* Everything before "::upnp::rootdevice" is the UDN. */
95 if( TempPtr != cmd ) {
96 - length = TempPtr - cmd;
97 - strncpy(Evt->UDN, cmd, length);
98 - Evt->UDN[length] = 0;
99 + n = (size_t)TempPtr - (size_t)cmd;
100 + n = n >= sizeof Evt->UDN ? sizeof Evt->UDN - 1 : n;
101 + strncpy(Evt->UDN, cmd, n);
102 + Evt->UDN[n] = 0;
103 CommandFound = 1;
104 }
105 }

  ViewVC Help
Powered by ViewVC 1.1.28