From b238cade9a173c6f751a34acf8ccff838a62aa47 Mon Sep 17 00:00:00 2001
From: Thomas Bernard <miniupnp@free.fr>
Date: Tue, 1 Mar 2016 19:14:15 +0100
Subject: [PATCH] minissdpd: Fix broken overflow test (p+l > buf+n) thanks to
 Salva Piero

---
 minissdpd/Changelog.txt   |  5 ++++-
 minissdpd/minissdpd.c     | 10 +++++-----
 minissdpd/testminissdpd.c | 12 +++++++++++-
 3 files changed, 20 insertions(+), 7 deletions(-)

diff --git a/minissdpd/Changelog.txt b/minissdpd/Changelog.txt
index c4d5e39..e66f052 100644
--- a/minissdpd/Changelog.txt
+++ b/minissdpd/Changelog.txt
@@ -1,4 +1,7 @@
-$Id: Changelog.txt,v 1.43 2015/08/06 14:05:49 nanard Exp $
+$Id: Changelog.txt,v 1.45 2016/03/01 18:06:46 nanard Exp $
+
+2016/03/01:
+	Fix broken overflow test (p+l > buf+n) thanks to Salva Piero
 
 VERSION 1.5:
 
diff --git a/minissdpd/minissdpd.c b/minissdpd/minissdpd.c
index 51f8273..df304cd 100644
--- a/minissdpd/minissdpd.c
+++ b/minissdpd/minissdpd.c
@@ -1,4 +1,4 @@
-/* $Id: minissdpd.c,v 1.50 2015/08/06 14:05:49 nanard Exp $ */
+/* $Id: minissdpd.c,v 1.53 2016/03/01 18:06:46 nanard Exp $ */
 /* vim: tabstop=4 shiftwidth=4 noexpandtab
  * MiniUPnP project
  * (c) 2007-2016 Thomas Bernard
@@ -847,7 +847,7 @@ void processRequest(struct reqelem * req)
 	type = buf[0];
 	p = buf + 1;
 	DECODELENGTH_CHECKLIMIT(l, p, buf + n);
-	if(p+l > buf+n) {
+	if(l > (unsigned)(buf+n-p)) {
 		syslog(LOG_WARNING, "bad request (length encoding l=%u n=%u)",
 		       l, (unsigned)n);
 		goto error;
@@ -969,7 +969,7 @@ void processRequest(struct reqelem * req)
 			goto error;
 		}
 		DECODELENGTH_CHECKLIMIT(l, p, buf + n);
-		if(p+l > buf+n) {
+		if(l > (unsigned)(buf+n-p)) {
 			syslog(LOG_WARNING, "bad request (length encoding)");
 			goto error;
 		}
@@ -987,7 +987,7 @@ void processRequest(struct reqelem * req)
 		newserv->usn[l] = '\0';
 		p += l;
 		DECODELENGTH_CHECKLIMIT(l, p, buf + n);
-		if(p+l > buf+n) {
+		if(l > (unsigned)(buf+n-p)) {
 			syslog(LOG_WARNING, "bad request (length encoding)");
 			goto error;
 		}
@@ -1005,7 +1005,7 @@ void processRequest(struct reqelem * req)
 		newserv->server[l] = '\0';
 		p += l;
 		DECODELENGTH_CHECKLIMIT(l, p, buf + n);
-		if(p+l > buf+n) {
+		if(l > (unsigned)(buf+n-p)) {
 			syslog(LOG_WARNING, "bad request (length encoding)");
 			goto error;
 		}
diff --git a/minissdpd/testminissdpd.c b/minissdpd/testminissdpd.c
index a845272..0f9bf0a 100644
--- a/minissdpd/testminissdpd.c
+++ b/minissdpd/testminissdpd.c
@@ -1,4 +1,4 @@
-/* $Id: testminissdpd.c,v 1.12 2015/08/06 13:16:59 nanard Exp $ */
+/* $Id: testminissdpd.c,v 1.14 2016/03/01 17:49:51 nanard Exp $ */
 /* Project : miniupnp
  * website : http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/
  * Author : Thomas BERNARD
@@ -65,6 +65,7 @@ main(int argc, char * * argv)
 	const char bad_command[] = { 0xff, 0xff };
 	const char overflow[] = { 0x01, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
 	const char command5[] = { 0x05, 0x00 };
+	const char bad_command4[] = { 0x04, 0x01, 0x60, 0x8f, 0xff, 0xff, 0xff, 0x7f};
 	int s;
 	int i;
 	void * tmp;
@@ -180,6 +181,15 @@ main(int argc, char * * argv)
 	n = read(s, buf, sizeof(buf));
 	printf("Response received %d bytes\n", (int)n);
 	printresponse(buf, n);
+	if(n == 0) {
+		close(s);
+		s = connect_unix_socket(sockpath);
+	}
+
+	n = SENDCOMMAND(bad_command4, sizeof(bad_command4));
+	n = read(s, buf, sizeof(buf));
+	printf("Response received %d bytes\n", (int)n);
+	printresponse(buf, n);
 
 	close(s);
 	return 0;