From 1ef1deec01bca16d4bbf3f690cbc06ddd19adedc Mon Sep 17 00:00:00 2001
From: Thomas Bernard <miniupnp@free.fr>
Date: Tue, 9 Apr 2019 22:06:21 +0200
Subject: [PATCH] upnpevents.c: properly handle urls in the form http://ip:port

Fix buffer over-read in upnpevents.c with urls in the form http://ip:port
(without path).
Assume / when the path is empty

fixes #361
---
 miniupnpd/Changelog.txt | 5 ++++-
 miniupnpd/upnpevents.c  | 9 +++++----
 2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/miniupnpd/Changelog.txt b/miniupnpd/Changelog.txt
index 191a70a..ddf83be 100644
--- a/miniupnpd/Changelog.txt
+++ b/miniupnpd/Changelog.txt
@@ -1,4 +1,7 @@
-$Id: Changelog.txt,v 1.444 2019/04/03 16:25:53 nanard Exp $
+$Id: Changelog.txt,v 1.446 2019/04/09 20:04:32 nanard Exp $
+
+2019/04/09:
+  Fix buffer over-read in upnpevents.c with urls in the form http://ip:port
 
 2019/04/05:
   Fix memory leak in upnpreplyparse.c with NewPortListing element
diff --git a/miniupnpd/upnpevents.c b/miniupnpd/upnpevents.c
index 3bc402f..8e50481 100644
--- a/miniupnpd/upnpevents.c
+++ b/miniupnpd/upnpevents.c
@@ -1,8 +1,8 @@
-/* $Id: upnpevents.c,v 1.39 2018/03/12 22:41:54 nanard Exp $ */
+/* $Id: upnpevents.c,v 1.42 2019/04/09 20:04:34 nanard Exp $ */
 /* vim: tabstop=4 shiftwidth=4 noexpandtab
  * MiniUPnP project
  * http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/
- * (c) 2008-2018 Thomas Bernard
+ * (c) 2008-2019 Thomas Bernard
  * This software is subject to the conditions detailed
  * in the LICENCE file provided within the distribution */
 
@@ -341,7 +341,7 @@ upnp_event_notify_connect(struct upnp_event_notify * obj)
 		i = 1;
 		p++;
 		port = (unsigned short)atoi(p);
-		while(*p != '/') {
+		while(*p != '\0' && *p != '/') {
 			if(i<7) obj->portstr[i++] = *p;
 			p++;
 		}
@@ -454,7 +454,8 @@ static void upnp_event_prepare(struct upnp_event_notify * obj)
 			return;
 		}
 		obj->tosend = snprintf(obj->buffer, obj->buffersize, notifymsg,
-		                       obj->path, obj->addrstr, obj->portstr, l+2,
+		                       (obj->path[0] != '\0') ? obj->path : "/",
+		                       obj->addrstr, obj->portstr, l+2,
 		                       obj->sub->uuid, obj->sub->seq,
 		                       l, xml);
 		if (obj->tosend < 0) {