Skip to content
Permalink
Browse files Browse the repository at this point in the history
minissdpd: Fix broken overflow test (p+l > buf+n) thanks to Salva Piero
  • Loading branch information
miniupnp committed Mar 1, 2016
1 parent ee22350 commit b238cad
Show file tree
Hide file tree
Showing 3 changed files with 20 additions and 7 deletions.
5 changes: 4 additions & 1 deletion minissdpd/Changelog.txt
@@ -1,4 +1,7 @@
$Id: Changelog.txt,v 1.43 2015/08/06 14:05:49 nanard Exp $
$Id: Changelog.txt,v 1.45 2016/03/01 18:06:46 nanard Exp $

2016/03/01:
Fix broken overflow test (p+l > buf+n) thanks to Salva Piero

VERSION 1.5:

Expand Down
10 changes: 5 additions & 5 deletions minissdpd/minissdpd.c
@@ -1,4 +1,4 @@
/* $Id: minissdpd.c,v 1.50 2015/08/06 14:05:49 nanard Exp $ */
/* $Id: minissdpd.c,v 1.53 2016/03/01 18:06:46 nanard Exp $ */
/* vim: tabstop=4 shiftwidth=4 noexpandtab
* MiniUPnP project
* (c) 2007-2016 Thomas Bernard
Expand Down Expand Up @@ -847,7 +847,7 @@ void processRequest(struct reqelem * req)
type = buf[0];
p = buf + 1;
DECODELENGTH_CHECKLIMIT(l, p, buf + n);
if(p+l > buf+n) {
if(l > (unsigned)(buf+n-p)) {
syslog(LOG_WARNING, "bad request (length encoding l=%u n=%u)",
l, (unsigned)n);
goto error;
Expand Down Expand Up @@ -969,7 +969,7 @@ void processRequest(struct reqelem * req)
goto error;
}
DECODELENGTH_CHECKLIMIT(l, p, buf + n);
if(p+l > buf+n) {
if(l > (unsigned)(buf+n-p)) {
syslog(LOG_WARNING, "bad request (length encoding)");
goto error;
}
Expand All @@ -987,7 +987,7 @@ void processRequest(struct reqelem * req)
newserv->usn[l] = '\0';
p += l;
DECODELENGTH_CHECKLIMIT(l, p, buf + n);
if(p+l > buf+n) {
if(l > (unsigned)(buf+n-p)) {
syslog(LOG_WARNING, "bad request (length encoding)");
goto error;
}
Expand All @@ -1005,7 +1005,7 @@ void processRequest(struct reqelem * req)
newserv->server[l] = '\0';
p += l;
DECODELENGTH_CHECKLIMIT(l, p, buf + n);
if(p+l > buf+n) {
if(l > (unsigned)(buf+n-p)) {
syslog(LOG_WARNING, "bad request (length encoding)");
goto error;
}
Expand Down
12 changes: 11 additions & 1 deletion minissdpd/testminissdpd.c
@@ -1,4 +1,4 @@
/* $Id: testminissdpd.c,v 1.12 2015/08/06 13:16:59 nanard Exp $ */
/* $Id: testminissdpd.c,v 1.14 2016/03/01 17:49:51 nanard Exp $ */
/* Project : miniupnp
* website : http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/
* Author : Thomas BERNARD
Expand Down Expand Up @@ -65,6 +65,7 @@ main(int argc, char * * argv)
const char bad_command[] = { 0xff, 0xff };
const char overflow[] = { 0x01, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
const char command5[] = { 0x05, 0x00 };
const char bad_command4[] = { 0x04, 0x01, 0x60, 0x8f, 0xff, 0xff, 0xff, 0x7f};
int s;
int i;
void * tmp;
Expand Down Expand Up @@ -180,6 +181,15 @@ main(int argc, char * * argv)
n = read(s, buf, sizeof(buf));
printf("Response received %d bytes\n", (int)n);
printresponse(buf, n);
if(n == 0) {
close(s);
s = connect_unix_socket(sockpath);
}

n = SENDCOMMAND(bad_command4, sizeof(bad_command4));
n = read(s, buf, sizeof(buf));
printf("Response received %d bytes\n", (int)n);
printresponse(buf, n);

close(s);
return 0;
Expand Down

0 comments on commit b238cad

Please sign in to comment.