From 3b20182c860788b84be7fd5eab65e40a87920608 Mon Sep 17 00:00:00 2001 From: Thomas Bernard Date: Sat, 30 May 2020 11:06:24 +0200 Subject: [PATCH] miniupnpd/upnpdescgen.c: check string length before memcmp() in genServiceDesc() see https://github.com/miniupnp/miniupnp/issues/459 --- miniupnpd/upnpdescgen.c | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/miniupnpd/upnpdescgen.c b/miniupnpd/upnpdescgen.c index b2583eb..dcc03b9 100644 --- a/miniupnpd/upnpdescgen.c +++ b/miniupnpd/upnpdescgen.c @@ -1,8 +1,8 @@ -/* $Id: upnpdescgen.c,v 1.83 2017/05/27 07:47:57 nanard Exp $ */ +/* $Id: upnpdescgen.c,v 1.87 2020/05/30 09:05:46 nanard Exp $ */ /* vim: tabstop=4 shiftwidth=4 noexpandtab * MiniUPnP project - * http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/ - * (c) 2006-2018 Thomas Bernard + * http://miniupnp.free.fr/ or https://miniupnp.tuxfamily.org/ + * (c) 2006-2020 Thomas Bernard * This software is subject to the conditions detailed * in the LICENCE file provided within the distribution */ @@ -1024,7 +1024,6 @@ genServiceDesc(int * len, const struct serviceDesc * s) const struct action * acts; const struct stateVar * vars; const struct argument * args; - const char * p; char * str; int tmplen; tmplen = 2048; @@ -1061,17 +1060,20 @@ genServiceDesc(int * len, const struct serviceDesc * s) j = 0; while(args[j].dir) { + const char * p; + size_t plen; str = strcat_str(str, len, &tmplen, ""); if((args[j].dir & 0x80) == 0) { str = strcat_str(str, len, &tmplen, "New"); } p = vars[args[j].relatedVar].name; + plen = strlen(p); if(args[j].dir & 0x7c) { /* use magic values ... */ str = strcat_str(str, len, &tmplen, magicargname[(args[j].dir & 0x7c) >> 2]); - } else if(0 == memcmp(p, "PortMapping", 11) - && 0 != memcmp(p + 11, "Description", 11)) { - if(0 == memcmp(p + 11, "NumberOfEntries", 15)) { + } else if(plen >= 11 && 0 == memcmp(p, "PortMapping", 11) + && (plen < 22 || 0 != memcmp(p + 11, "Description", 11))) { + if(plen >= (11+15) && 0 == memcmp(p + 11, "NumberOfEntries", 15)) { /* PortMappingNumberOfEntries */ #ifdef IGD_V2 if(0 == memcmp(acts[i].name, "GetListOfPortMappings", 22)) { @@ -1089,9 +1091,9 @@ genServiceDesc(int * len, const struct serviceDesc * s) str = strcat_str(str, len, &tmplen, p + 11); } #ifdef IGD_V2 - } else if(0 == memcmp(p, "A_ARG_TYPE_", 11)) { + } else if(plen >= 11 && 0 == memcmp(p, "A_ARG_TYPE_", 11)) { str = strcat_str(str, len, &tmplen, p + 11); - } else if(0 == memcmp(p, "ExternalPort", 13) + } else if(plen >= 13 && 0 == memcmp(p, "ExternalPort", 13) && args[j].dir == 2 && 0 == memcmp(acts[i].name, "AddAnyPortMapping", 18)) { str = strcat_str(str, len, &tmplen, "ReservedPort");