miniupnpd/upnppinhole.c: fix upnp_add_inboundpinhole() : check inet_pton() return

miniupnpd/Changelog.txt

@@ -1,4 +1,9 @@
-$Id: Changelog.txt,v 1.385 2014/12/04 10:21:32 nanard Exp $
+$Id: Changelog.txt,v 1.391 2014/12/09 09:48:04 nanard Exp $
+
+2014/12/09:
+  fix upnp_add_inboundpinhole() : check inet_pton() return
+    Credits goes to Stephen Röttger of the Google Security Team for identifying
+    the vulnerabilities
 
 2014/12/04:
   check "sysctl -n net.ipv6.bindv6only" for linux

miniupnpd/upnppinhole.c

@@ -1,4 +1,4 @@
-/* $Id: upnppinhole.c,v 1.4 2012/05/08 20:41:45 nanard Exp $ */
+/* $Id: upnppinhole.c,v 1.7 2014/12/09 09:13:53 nanard Exp $ */
 /* MiniUPnP project
  * http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/
  * (c) 2006-2012 Thomas Bernard
@@ -88,10 +88,10 @@ upnp_check_outbound_pinhole(int proto, int * timeout)
 #endif
 
 /* upnp_add_inboundpinhole()
- * returns: 0 on success
+ * returns:  1 on success
- *          -1 failed to add pinhole
+ *          -1 Pinhole space exhausted
- *          -2 already created
+ *          -4 invalid arguments
- *          -3 inbound pinhole disabled
+ *         -42 not implemented
  * TODO : return uid on success (positive) or error value (negative)
  */
 int
@@ -109,10 +109,11 @@ upnp_add_inboundpinhole(const char * raddr,
 	unsigned int timestamp;
 	struct in6_addr address;
 
-	if(inet_pton(AF_INET6, iaddr, &address) < 0)
+	r = inet_pton(AF_INET6, iaddr, &address);
-	{
+	if(r <= 0) {
-		syslog(LOG_ERR, "inet_pton(%s) : %m", iaddr);
+		syslog(LOG_ERR, "inet_pton(%d, %s, %p) FAILED",
-		return 0;
+		       AF_INET6, iaddr, &address);
+		return -4;
 	}
 	current = time(NULL);
 	timestamp = current + leasetime;