From e6bc04aa06341fa4df3ccae87a167e9adf816911 Mon Sep 17 00:00:00 2001
From: Thomas Bernard <miniupnp@free.fr>
Date: Tue, 9 Dec 2014 11:01:37 +0100
Subject: [PATCH] miniupnpd/upnpsoap.c: fix potential memory corruption in
 upnpsoap.c/GetListOfPortMappings()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Credits goes to Stephen Röttger of the Google Security Team for identifying
the vulnerabilities
---
 miniupnpd/Changelog.txt |  1 +
 miniupnpd/upnpsoap.c    | 17 ++++++++++++++++-
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/miniupnpd/Changelog.txt b/miniupnpd/Changelog.txt
index b9eedfd..30a6d1d 100644
--- a/miniupnpd/Changelog.txt
+++ b/miniupnpd/Changelog.txt
@@ -3,6 +3,7 @@ $Id: Changelog.txt,v 1.391 2014/12/09 09:48:04 nanard Exp $
 2014/12/09:
   fix upnp_add_inboundpinhole() : check inet_pton() return
   fix upnp_redirect() : check inet_aton() return
+  fix potential memory corruption in upnpsoap.c/GetListOfPortMappings()
     Credits goes to Stephen Röttger of the Google Security Team for identifying
     the vulnerabilities
 
diff --git a/miniupnpd/upnpsoap.c b/miniupnpd/upnpsoap.c
index faefe77..efd0658 100644
--- a/miniupnpd/upnpsoap.c
+++ b/miniupnpd/upnpsoap.c
@@ -1,4 +1,4 @@
-/* $Id: upnpsoap.c,v 1.130 2014/11/28 13:18:57 nanard Exp $ */
+/* $Id: upnpsoap.c,v 1.132 2014/12/09 09:46:46 nanard Exp $ */
 /* MiniUPnP project
  * http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/
  * (c) 2006-2014 Thomas Bernard
@@ -1031,6 +1031,7 @@ http://www.upnp.org/schemas/gw/WANIPConnection-v2.xsd">
 			body = realloc(body, bodyalloc);
 			if(!body)
 			{
+				syslog(LOG_CRIT, "realloc(%p, %u) FAILED", body_sav, (unsigned)bodyalloc);
 				ClearNameValueList(&data);
 				SoapError(h, 501, "ActionFailed");
 				free(body_sav);
@@ -1055,6 +1056,20 @@ http://www.upnp.org/schemas/gw/WANIPConnection-v2.xsd">
 	free(port_list);
 	port_list = NULL;
 
+	if((bodylen + sizeof(list_end) + 1024) > bodyalloc)
+	{
+		char * body_sav = body;
+		bodyalloc += (sizeof(list_end) + 1024);
+		body = realloc(body, bodyalloc);
+		if(!body)
+		{
+			syslog(LOG_CRIT, "realloc(%p, %u) FAILED", body_sav, (unsigned)bodyalloc);
+			ClearNameValueList(&data);
+			SoapError(h, 501, "ActionFailed");
+			free(body_sav);
+			return;
+		}
+	}
 	memcpy(body+bodylen, list_end, sizeof(list_end));
 	bodylen += (sizeof(list_end) - 1);
 	bodylen += snprintf(body+bodylen, bodyalloc-bodylen, resp_end,