status-im
/
miniupnp
mirror of https://github.com/status-im/miniupnp.git
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

miniupnpd/upnpsoap.c: fix potential memory corruption in upnpsoap.c/GetListOfPortMappings() 

Credits goes to Stephen Röttger of the Google Security Team for identifying
the vulnerabilities
This commit is contained in:
Thomas Bernard 2014-12-09 11:01:37 +01:00
parent 7c91c4e933
commit e6bc04aa06
2 changed files with 17 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
miniupnpd/Changelog.txt
View File

@ -3,6 +3,7 @@ $Id: Changelog.txt,v 1.391 2014/12/09 09:48:04 nanard Exp $
2014/12/09: 2014/12/09:
fix upnp_add_inboundpinhole() : check inet_pton() return fix upnp_add_inboundpinhole() : check inet_pton() return
fix upnp_redirect() : check inet_aton() return fix upnp_redirect() : check inet_aton() return
fix potential memory corruption in upnpsoap.c/GetListOfPortMappings()
Credits goes to Stephen Röttger of the Google Security Team for identifying Credits goes to Stephen Röttger of the Google Security Team for identifying
the vulnerabilities the vulnerabilities

17
miniupnpd/upnpsoap.c
View File

@ -1,4 +1,4 @@
/* $Id: upnpsoap.c,v 1.130 2014/11/28 13:18:57 nanard Exp $ */ /* $Id: upnpsoap.c,v 1.132 2014/12/09 09:46:46 nanard Exp $ */
/* MiniUPnP project /* MiniUPnP project
* http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/ * http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/
* (c) 2006-2014 Thomas Bernard * (c) 2006-2014 Thomas Bernard
@ -1031,6 +1031,7 @@ http://www.upnp.org/schemas/gw/WANIPConnection-v2.xsd">
body = realloc(body, bodyalloc); body = realloc(body, bodyalloc);
if(!body) if(!body)
{ {
syslog(LOG_CRIT, "realloc(%p, %u) FAILED", body_sav, (unsigned)bodyalloc);
ClearNameValueList(&data); ClearNameValueList(&data);
SoapError(h, 501, "ActionFailed"); SoapError(h, 501, "ActionFailed");
free(body_sav); free(body_sav);
@ -1055,6 +1056,20 @@ http://www.upnp.org/schemas/gw/WANIPConnection-v2.xsd">
free(port_list); free(port_list);
port_list = NULL; port_list = NULL;
if((bodylen + sizeof(list_end) + 1024) > bodyalloc)
{
char * body_sav = body;
bodyalloc += (sizeof(list_end) + 1024);
body = realloc(body, bodyalloc);
if(!body)
{
syslog(LOG_CRIT, "realloc(%p, %u) FAILED", body_sav, (unsigned)bodyalloc);
ClearNameValueList(&data);
SoapError(h, 501, "ActionFailed");
free(body_sav);
return;
}
}
memcpy(body+bodylen, list_end, sizeof(list_end)); memcpy(body+bodylen, list_end, sizeof(list_end));
bodylen += (sizeof(list_end) - 1); bodylen += (sizeof(list_end) - 1);
bodylen += snprintf(body+bodylen, bodyalloc-bodylen, resp_end, bodylen += snprintf(body+bodylen, bodyalloc-bodylen, resp_end,