miniupnpd/upnpdescgen.c: check string length before memcmp() in genServiceDesc()
see https://github.com/miniupnp/miniupnp/issues/459
This commit is contained in:
Thomas Bernard
parent
a711165e6e
commit
3b20182c86
|
|
@ -1,8 +1,8 @@
|
||||||
/* $Id: upnpdescgen.c,v 1.83 2017/05/27 07:47:57 nanard Exp $ */
|
/* $Id: upnpdescgen.c,v 1.87 2020/05/30 09:05:46 nanard Exp $ */
|
||||||
/* vim: tabstop=4 shiftwidth=4 noexpandtab
|
/* vim: tabstop=4 shiftwidth=4 noexpandtab
|
||||||
* MiniUPnP project
|
* MiniUPnP project
|
||||||
* http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/
|
* http://miniupnp.free.fr/ or https://miniupnp.tuxfamily.org/
|
||||||
* (c) 2006-2018 Thomas Bernard
|
* (c) 2006-2020 Thomas Bernard
|
||||||
* This software is subject to the conditions detailed
|
* This software is subject to the conditions detailed
|
||||||
* in the LICENCE file provided within the distribution */
|
* in the LICENCE file provided within the distribution */
|
||||||
|
|
||||||
|
|
@ -1024,7 +1024,6 @@ genServiceDesc(int * len, const struct serviceDesc * s)
|
||||||
const struct action * acts;
|
const struct action * acts;
|
||||||
const struct stateVar * vars;
|
const struct stateVar * vars;
|
||||||
const struct argument * args;
|
const struct argument * args;
|
||||||
const char * p;
|
|
||||||
char * str;
|
char * str;
|
||||||
int tmplen;
|
int tmplen;
|
||||||
tmplen = 2048;
|
tmplen = 2048;
|
||||||
|
|
@ -1061,17 +1060,20 @@ genServiceDesc(int * len, const struct serviceDesc * s)
|
||||||
j = 0;
|
j = 0;
|
||||||
while(args[j].dir)
|
while(args[j].dir)
|
||||||
{
|
{
|
||||||
|
const char * p;
|
||||||
|
size_t plen;
|
||||||
str = strcat_str(str, len, &tmplen, "<argument><name>");
|
str = strcat_str(str, len, &tmplen, "<argument><name>");
|
||||||
if((args[j].dir & 0x80) == 0) {
|
if((args[j].dir & 0x80) == 0) {
|
||||||
str = strcat_str(str, len, &tmplen, "New");
|
str = strcat_str(str, len, &tmplen, "New");
|
||||||
}
|
}
|
||||||
p = vars[args[j].relatedVar].name;
|
p = vars[args[j].relatedVar].name;
|
||||||
|
plen = strlen(p);
|
||||||
if(args[j].dir & 0x7c) {
|
if(args[j].dir & 0x7c) {
|
||||||
/* use magic values ... */
|
/* use magic values ... */
|
||||||
str = strcat_str(str, len, &tmplen, magicargname[(args[j].dir & 0x7c) >> 2]);
|
str = strcat_str(str, len, &tmplen, magicargname[(args[j].dir & 0x7c) >> 2]);
|
||||||
} else if(0 == memcmp(p, "PortMapping", 11)
|
} else if(plen >= 11 && 0 == memcmp(p, "PortMapping", 11)
|
||||||
&& 0 != memcmp(p + 11, "Description", 11)) {
|
&& (plen < 22 || 0 != memcmp(p + 11, "Description", 11))) {
|
||||||
if(0 == memcmp(p + 11, "NumberOfEntries", 15)) {
|
if(plen >= (11+15) && 0 == memcmp(p + 11, "NumberOfEntries", 15)) {
|
||||||
/* PortMappingNumberOfEntries */
|
/* PortMappingNumberOfEntries */
|
||||||
#ifdef IGD_V2
|
#ifdef IGD_V2
|
||||||
if(0 == memcmp(acts[i].name, "GetListOfPortMappings", 22)) {
|
if(0 == memcmp(acts[i].name, "GetListOfPortMappings", 22)) {
|
||||||
|
|
@ -1089,9 +1091,9 @@ genServiceDesc(int * len, const struct serviceDesc * s)
|
||||||
str = strcat_str(str, len, &tmplen, p + 11);
|
str = strcat_str(str, len, &tmplen, p + 11);
|
||||||
}
|
}
|
||||||
#ifdef IGD_V2
|
#ifdef IGD_V2
|
||||||
} else if(0 == memcmp(p, "A_ARG_TYPE_", 11)) {
|
} else if(plen >= 11 && 0 == memcmp(p, "A_ARG_TYPE_", 11)) {
|
||||||
str = strcat_str(str, len, &tmplen, p + 11);
|
str = strcat_str(str, len, &tmplen, p + 11);
|
||||||
} else if(0 == memcmp(p, "ExternalPort", 13)
|
} else if(plen >= 13 && 0 == memcmp(p, "ExternalPort", 13)
|
||||||
&& args[j].dir == 2
|
&& args[j].dir == 2
|
||||||
&& 0 == memcmp(acts[i].name, "AddAnyPortMapping", 18)) {
|
&& 0 == memcmp(acts[i].name, "AddAnyPortMapping", 18)) {
|
||||||
str = strcat_str(str, len, &tmplen, "ReservedPort");
|
str = strcat_str(str, len, &tmplen, "ReservedPort");
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue