miniupnpd/upnphttp.c: fix buffer overrun in ParseHttpHeaders() if Content-Length doesn't contain any digit

Credits goes to Stephen Röttger of the Google Security Team for identifying the vulnerabilities
2025-02-21 18:28:05 +00:00 · 2014-12-09 11:02:57 +01:00 · 2014-12-09 11:02:57 +01:00 · dd39ecaa93
commit dd39ecaa93
parent e6bc04aa06
2 changed files with 3 additions and 2 deletions
--- a/miniupnpd/Changelog.txt
+++ b/miniupnpd/Changelog.txt
@ -4,6 +4,7 @@ $Id: Changelog.txt,v 1.391 2014/12/09 09:48:04 nanard Exp $
  fix upnp_add_inboundpinhole() : check inet_pton() return
  fix upnp_redirect() : check inet_aton() return
  fix potential memory corruption in upnpsoap.c/GetListOfPortMappings()
+  fix buffer overrun in ParseHttpHeaders() if Content-Length doesn't contain any digit !
    Credits goes to Stephen Röttger of the Google Security Team for identifying
    the vulnerabilities

--- a/miniupnpd/upnphttp.c
+++ b/miniupnpd/upnphttp.c
@ -1,4 +1,4 @@
-/* $Id: upnphttp.c,v 1.91 2014/04/09 14:08:12 nanard Exp $ */
+/* $Id: upnphttp.c,v 1.94 2014/12/09 09:46:45 nanard Exp $ */
 /* Project :  miniupnp
 * Website :  http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/
 * Author :   Thomas Bernard
@ -223,7 +223,7 @@ ParseHttpHeaders(struct upnphttp * h)
 			if(strncasecmp(line, "Content-Length", 14)==0)
 			{
 				p = colon;
-				while(*p < '0' || *p > '9')
+				while((*p < '0' || *p > '9') && (*p != '\r') && (*p != '\n'))
 					p++;
 				h->req_contentlen = atoi(p);
 				if(h->req_contentlen < 0) {