From 2f5cc790339cf69871162dcf535c1c5f08b836be Mon Sep 17 00:00:00 2001 From: Thomas Bernard Date: Tue, 15 Sep 2015 16:15:30 +0200 Subject: [PATCH] igd_desc_parse.c: fix buffer overflow --- miniupnpc-async/igd_desc_parse.c | 8 +++++--- miniupnpc-libevent/igd_desc_parse.c | 8 +++++--- 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/miniupnpc-async/igd_desc_parse.c b/miniupnpc-async/igd_desc_parse.c index 892a090..d2999ad 100644 --- a/miniupnpc-async/igd_desc_parse.c +++ b/miniupnpc-async/igd_desc_parse.c @@ -1,8 +1,8 @@ -/* $Id: igd_desc_parse.c,v 1.16 2014/11/17 17:19:13 nanard Exp $ */ +/* $Id: igd_desc_parse.c,v 1.17 2015/09/15 13:30:04 nanard Exp $ */ /* Project : miniupnp * http://miniupnp.free.fr/ * Author : Thomas Bernard - * Copyright (c) 2005-2014 Thomas Bernard + * Copyright (c) 2005-2015 Thomas Bernard * This software is subject to the conditions detailed in the * LICENCE file provided in this distribution. */ @@ -15,7 +15,9 @@ void IGDstartelt(void * d, const char * name, int l) { struct IGDdatas * datas = (struct IGDdatas *)d; - memcpy( datas->cureltname, name, l); + if(l >= MINIUPNPC_URL_MAXSIZE) + l = MINIUPNPC_URL_MAXSIZE-1; + memcpy(datas->cureltname, name, l); datas->cureltname[l] = '\0'; datas->level++; if( (l==7) && !memcmp(name, "service", l) ) { diff --git a/miniupnpc-libevent/igd_desc_parse.c b/miniupnpc-libevent/igd_desc_parse.c index 892a090..d2999ad 100644 --- a/miniupnpc-libevent/igd_desc_parse.c +++ b/miniupnpc-libevent/igd_desc_parse.c @@ -1,8 +1,8 @@ -/* $Id: igd_desc_parse.c,v 1.16 2014/11/17 17:19:13 nanard Exp $ */ +/* $Id: igd_desc_parse.c,v 1.17 2015/09/15 13:30:04 nanard Exp $ */ /* Project : miniupnp * http://miniupnp.free.fr/ * Author : Thomas Bernard - * Copyright (c) 2005-2014 Thomas Bernard + * Copyright (c) 2005-2015 Thomas Bernard * This software is subject to the conditions detailed in the * LICENCE file provided in this distribution. */ @@ -15,7 +15,9 @@ void IGDstartelt(void * d, const char * name, int l) { struct IGDdatas * datas = (struct IGDdatas *)d; - memcpy( datas->cureltname, name, l); + if(l >= MINIUPNPC_URL_MAXSIZE) + l = MINIUPNPC_URL_MAXSIZE-1; + memcpy(datas->cureltname, name, l); datas->cureltname[l] = '\0'; datas->level++; if( (l==7) && !memcmp(name, "service", l) ) {