current/SOURCES/libupnp-1.6.15-VU-922681.patch

Fix for VU#922681

This includes fix for various CVEs by more or less backporting the whole unique_service_name() function from 1.6.18.

CVE-2012-5961 Issue #1: Stack buffer overflow of Evt->UDN
CVE-2012-5958 Issue #2: Stack buffer overflow of Tempbuf
CVE-2012-5962 Issue #3: Stack buffer overflow of Evt->DeviceType
CVE-2012-5959 Issue #4: Stack buffer overflow of Event->UDN
CVE-2012-5960 Issue #8: Stack buffer overflow of Event->UDN
CVE-2012-5963 Issue #5: Stack buffer overflow of Event->UDN
CVE-2012-5964 Issue #6: Stack buffer overflow of Event->DeviceType
CVE-2012-5965 Issue #7: Stack buffer overflow of Event->DeviceType

--- libupnp-1.6.15/upnp/src/ssdp/ssdp_server.c.orig     2011-11-04 18:33:59.000000000 -0400
+++ libupnp-1.6.15/upnp/src/ssdp/ssdp_server.c  2012-12-06 12:46:09.000000000 -0500
@@ -452,7 +454,7 @@ int unique_service_name(char *cmd, SsdpE
        char *ptr2 = NULL;
        char *ptr3 = NULL;
        int CommandFound = 0;
-       size_t n = 0;
+       size_t n = (size_t)0;
 
        if ((TempPtr = strstr(cmd, "uuid:schemas")) != NULL) {
                ptr1 = strstr(cmd, ":device");
@@ -464,45 +466,60 @@ int unique_service_name(char *cmd, SsdpE
                        ptr3 = strstr(ptr2 + 1, ":");
                else
                        return -1;
-               if (ptr3 != NULL)
-                       sprintf(Evt->UDN, "uuid:%s", ptr3 + 1);
+               if (ptr3 != NULL) {
+                       if (strlen("uuid:") + strlen(ptr3 + 1) >= sizeof Evt->UDN)
+                               return -1;
+                       snprintf(Evt->UDN, sizeof Evt->UDN, "uuid:%s", ptr3 + 1);
+               }
                else
                        return -1;
                ptr1 = strstr(cmd, ":");
                if (ptr1 != NULL) {
-                       n = (size_t) (ptr3 - ptr1);
+                       n = (size_t)ptr3 - (size_t)ptr1;
+                       n = n >= sizeof TempBuf ? sizeof TempBuf - 1 : n;
                        strncpy(TempBuf, ptr1, n);
                        TempBuf[n] = '\0';
-                       sprintf(Evt->DeviceType, "urn%s", TempBuf);
+                       if (strlen("urn") + strlen(TempBuf) >= sizeof(Evt->DeviceType))
+                               return -1;
+                       snprintf(Evt->DeviceType, sizeof(Evt->DeviceType),
+                               "urn%s", TempBuf);
                } else
                        return -1;
                return 0;
        }
        if ((TempPtr = strstr(cmd, "uuid")) != NULL) {
                if ((Ptr = strstr(cmd, "::")) != NULL) {
-                       n = (size_t) (Ptr - TempPtr);
+                       n = (size_t)Ptr - (size_t)TempPtr;
+                       n = n >= sizeof Evt->UDN ? sizeof Evt->UDN - 1 : n;
                        strncpy(Evt->UDN, TempPtr, n);
                        Evt->UDN[n] = '\0';
-               } else
-                       strcpy(Evt->UDN, TempPtr);
+               } else {
+                       memset(Evt->UDN, 0, sizeof(Evt->UDN));
+                       strncpy(Evt->UDN, TempPtr, sizeof Evt->UDN - 1);
+               }
                CommandFound = 1;
        }
        if (strstr(cmd, "urn:") != NULL && strstr(cmd, ":service:") != NULL) {
                if ((TempPtr = strstr(cmd, "urn")) != NULL) {
-                       strcpy(Evt->ServiceType, TempPtr);
+                       memset(Evt->ServiceType, 0, sizeof Evt->ServiceType);
+                       strncpy(Evt->ServiceType, TempPtr,
+                               sizeof Evt->ServiceType - 1);
                        CommandFound = 1;
                }
        }
        if (strstr(cmd, "urn:") != NULL && strstr(cmd, ":device:") != NULL) {
                if ((TempPtr = strstr(cmd, "urn")) != NULL) {
-                       strcpy(Evt->DeviceType, TempPtr);
+                       memset(Evt->DeviceType, 0, sizeof Evt->DeviceType);
+                       strncpy(Evt->DeviceType, TempPtr,
+                               sizeof Evt->DeviceType - 1);
                        CommandFound = 1;
                }
        }
        if ((TempPtr = strstr(cmd, "::upnp:rootdevice")) != NULL) {
                /* Everything before "::upnp::rootdevice" is the UDN. */
                if (TempPtr != cmd) {
-                       n = (size_t) (TempPtr - cmd);
+                       n = (size_t)TempPtr - (size_t)cmd;
+                       n = n >= sizeof Evt->UDN ? sizeof Evt->UDN - 1 : n;
                        strncpy(Evt->UDN, cmd, n);
                        Evt->UDN[n] = 0;
                        CommandFound = 1;
1	luigiwalser	394767	Fix for VU#922681
2
3			This includes fix for various CVEs by more or less backporting the whole unique_service_name() function from 1.6.18.
4
5			CVE-2012-5961 Issue #1: Stack buffer overflow of Evt->UDN
6			CVE-2012-5958 Issue #2: Stack buffer overflow of Tempbuf
7			CVE-2012-5962 Issue #3: Stack buffer overflow of Evt->DeviceType
8			CVE-2012-5959 Issue #4: Stack buffer overflow of Event->UDN
9			CVE-2012-5960 Issue #8: Stack buffer overflow of Event->UDN
10			CVE-2012-5963 Issue #5: Stack buffer overflow of Event->UDN
11			CVE-2012-5964 Issue #6: Stack buffer overflow of Event->DeviceType
12			CVE-2012-5965 Issue #7: Stack buffer overflow of Event->DeviceType
13
14			--- libupnp-1.6.15/upnp/src/ssdp/ssdp_server.c.orig 2011-11-04 18:33:59.000000000 -0400
15			+++ libupnp-1.6.15/upnp/src/ssdp/ssdp_server.c 2012-12-06 12:46:09.000000000 -0500
16			@@ -452,7 +454,7 @@ int unique_service_name(char *cmd, SsdpE
17			char *ptr2 = NULL;
18			char *ptr3 = NULL;
19			int CommandFound = 0;
20			- size_t n = 0;
21			+ size_t n = (size_t)0;
22
23			if ((TempPtr = strstr(cmd, "uuid:schemas")) != NULL) {
24			ptr1 = strstr(cmd, ":device");
25			@@ -464,45 +466,60 @@ int unique_service_name(char *cmd, SsdpE
26			ptr3 = strstr(ptr2 + 1, ":");
27			else
28			return -1;
29			- if (ptr3 != NULL)
30			- sprintf(Evt->UDN, "uuid:%s", ptr3 + 1);
31			+ if (ptr3 != NULL) {
32			+ if (strlen("uuid:") + strlen(ptr3 + 1) >= sizeof Evt->UDN)
33			+ return -1;
34			+ snprintf(Evt->UDN, sizeof Evt->UDN, "uuid:%s", ptr3 + 1);
35			+ }
36			else
37			return -1;
38			ptr1 = strstr(cmd, ":");
39			if (ptr1 != NULL) {
40			- n = (size_t) (ptr3 - ptr1);
41			+ n = (size_t)ptr3 - (size_t)ptr1;
42			+ n = n >= sizeof TempBuf ? sizeof TempBuf - 1 : n;
43			strncpy(TempBuf, ptr1, n);
44			TempBuf[n] = '\0';
45			- sprintf(Evt->DeviceType, "urn%s", TempBuf);
46			+ if (strlen("urn") + strlen(TempBuf) >= sizeof(Evt->DeviceType))
47			+ return -1;
48			+ snprintf(Evt->DeviceType, sizeof(Evt->DeviceType),
49			+ "urn%s", TempBuf);
50			} else
51			return -1;
52			return 0;
53			}
54			if ((TempPtr = strstr(cmd, "uuid")) != NULL) {
55			if ((Ptr = strstr(cmd, "::")) != NULL) {
56			- n = (size_t) (Ptr - TempPtr);
57			+ n = (size_t)Ptr - (size_t)TempPtr;
58			+ n = n >= sizeof Evt->UDN ? sizeof Evt->UDN - 1 : n;
59			strncpy(Evt->UDN, TempPtr, n);
60			Evt->UDN[n] = '\0';
61			- } else
62			- strcpy(Evt->UDN, TempPtr);
63			+ } else {
64			+ memset(Evt->UDN, 0, sizeof(Evt->UDN));
65			+ strncpy(Evt->UDN, TempPtr, sizeof Evt->UDN - 1);
66			+ }
67			CommandFound = 1;
68			}
69			if (strstr(cmd, "urn:") != NULL && strstr(cmd, ":service:") != NULL) {
70			if ((TempPtr = strstr(cmd, "urn")) != NULL) {
71			- strcpy(Evt->ServiceType, TempPtr);
72			+ memset(Evt->ServiceType, 0, sizeof Evt->ServiceType);
73			+ strncpy(Evt->ServiceType, TempPtr,
74			+ sizeof Evt->ServiceType - 1);
75			CommandFound = 1;
76			}
77			}
78			if (strstr(cmd, "urn:") != NULL && strstr(cmd, ":device:") != NULL) {
79			if ((TempPtr = strstr(cmd, "urn")) != NULL) {
80			- strcpy(Evt->DeviceType, TempPtr);
81			+ memset(Evt->DeviceType, 0, sizeof Evt->DeviceType);
82			+ strncpy(Evt->DeviceType, TempPtr,
83			+ sizeof Evt->DeviceType - 1);
84			CommandFound = 1;
85			}
86			}
87			if ((TempPtr = strstr(cmd, "::upnp:rootdevice")) != NULL) {
88			/* Everything before "::upnp::rootdevice" is the UDN. */
89			if (TempPtr != cmd) {
90			- n = (size_t) (TempPtr - cmd);
91			+ n = (size_t)TempPtr - (size_t)cmd;
92			+ n = n >= sizeof Evt->UDN ? sizeof Evt->UDN - 1 : n;
93			strncpy(Evt->UDN, cmd, n);
94			Evt->UDN[n] = 0;
95			CommandFound = 1;