status-im
/
miniupnp
mirror of https://github.com/status-im/miniupnp.git
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

minissdpd: Fix broken overflow test (p+l > buf+n) thanks to Salva Piero

This commit is contained in:
Thomas Bernard 2016-03-01 19:14:15 +01:00
parent ee22350d5f
commit b238cade9a
3 changed files with 20 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
minissdpd/Changelog.txt
View File

@ -1,4 +1,7 @@
$Id: Changelog.txt,v 1.43 2015/08/06 14:05:49 nanard Exp $ $Id: Changelog.txt,v 1.45 2016/03/01 18:06:46 nanard Exp $
2016/03/01:
Fix broken overflow test (p+l > buf+n) thanks to Salva Piero
VERSION 1.5: VERSION 1.5:

10
minissdpd/minissdpd.c
View File

@ -1,4 +1,4 @@
/* $Id: minissdpd.c,v 1.50 2015/08/06 14:05:49 nanard Exp $ */ /* $Id: minissdpd.c,v 1.53 2016/03/01 18:06:46 nanard Exp $ */
/* vim: tabstop=4 shiftwidth=4 noexpandtab /* vim: tabstop=4 shiftwidth=4 noexpandtab
* MiniUPnP project * MiniUPnP project
* (c) 2007-2016 Thomas Bernard * (c) 2007-2016 Thomas Bernard
@ -847,7 +847,7 @@ void processRequest(struct reqelem * req)
type = buf[0]; type = buf[0];
p = buf + 1; p = buf + 1;
DECODELENGTH_CHECKLIMIT(l, p, buf + n); DECODELENGTH_CHECKLIMIT(l, p, buf + n);
if(p+l > buf+n) { if(l > (unsigned)(buf+n-p)) {
syslog(LOG_WARNING, "bad request (length encoding l=%u n=%u)", syslog(LOG_WARNING, "bad request (length encoding l=%u n=%u)",
l, (unsigned)n); l, (unsigned)n);
goto error; goto error;
@ -969,7 +969,7 @@ void processRequest(struct reqelem * req)
goto error; goto error;
} }
DECODELENGTH_CHECKLIMIT(l, p, buf + n); DECODELENGTH_CHECKLIMIT(l, p, buf + n);
if(p+l > buf+n) { if(l > (unsigned)(buf+n-p)) {
syslog(LOG_WARNING, "bad request (length encoding)"); syslog(LOG_WARNING, "bad request (length encoding)");
goto error; goto error;
} }
@ -987,7 +987,7 @@ void processRequest(struct reqelem * req)
newserv->usn[l] = '\0'; newserv->usn[l] = '\0';
p += l; p += l;
DECODELENGTH_CHECKLIMIT(l, p, buf + n); DECODELENGTH_CHECKLIMIT(l, p, buf + n);
if(p+l > buf+n) { if(l > (unsigned)(buf+n-p)) {
syslog(LOG_WARNING, "bad request (length encoding)"); syslog(LOG_WARNING, "bad request (length encoding)");
goto error; goto error;
} }
@ -1005,7 +1005,7 @@ void processRequest(struct reqelem * req)
newserv->server[l] = '\0'; newserv->server[l] = '\0';
p += l; p += l;
DECODELENGTH_CHECKLIMIT(l, p, buf + n); DECODELENGTH_CHECKLIMIT(l, p, buf + n);
if(p+l > buf+n) { if(l > (unsigned)(buf+n-p)) {
syslog(LOG_WARNING, "bad request (length encoding)"); syslog(LOG_WARNING, "bad request (length encoding)");
goto error; goto error;
} }

12
minissdpd/testminissdpd.c
View File

@ -1,4 +1,4 @@
/* $Id: testminissdpd.c,v 1.12 2015/08/06 13:16:59 nanard Exp $ */ /* $Id: testminissdpd.c,v 1.14 2016/03/01 17:49:51 nanard Exp $ */
/* Project : miniupnp /* Project : miniupnp
* website : http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/ * website : http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/
* Author : Thomas BERNARD * Author : Thomas BERNARD
@ -65,6 +65,7 @@ main(int argc, char * * argv)
const char bad_command[] = { 0xff, 0xff }; const char bad_command[] = { 0xff, 0xff };
const char overflow[] = { 0x01, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; const char overflow[] = { 0x01, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
const char command5[] = { 0x05, 0x00 }; const char command5[] = { 0x05, 0x00 };
const char bad_command4[] = { 0x04, 0x01, 0x60, 0x8f, 0xff, 0xff, 0xff, 0x7f};
int s; int s;
int i; int i;
void * tmp; void * tmp;
@ -180,6 +181,15 @@ main(int argc, char * * argv)
n = read(s, buf, sizeof(buf)); n = read(s, buf, sizeof(buf));
printf("Response received %d bytes\n", (int)n); printf("Response received %d bytes\n", (int)n);
printresponse(buf, n); printresponse(buf, n);
if(n == 0) {
close(s);
s = connect_unix_socket(sockpath);
}
n = SENDCOMMAND(bad_command4, sizeof(bad_command4));
n = read(s, buf, sizeof(buf));
printf("Response received %d bytes\n", (int)n);
printresponse(buf, n);
close(s); close(s);
return 0; return 0;