Skip to content
Permalink
Browse files

minissdpd: Fix broken overflow test (p+l > buf+n) thanks to Salva Piero

  • Loading branch information...
miniupnp committed Mar 1, 2016
1 parent ee22350 commit b238cade9a173c6f751a34acf8ccff838a62aa47
Showing with 20 additions and 7 deletions.
  1. +4 −1 minissdpd/Changelog.txt
  2. +5 −5 minissdpd/minissdpd.c
  3. +11 −1 minissdpd/testminissdpd.c
@@ -1,4 +1,7 @@
$Id: Changelog.txt,v 1.43 2015/08/06 14:05:49 nanard Exp $
$Id: Changelog.txt,v 1.45 2016/03/01 18:06:46 nanard Exp $

2016/03/01:
Fix broken overflow test (p+l > buf+n) thanks to Salva Piero

VERSION 1.5:

@@ -1,4 +1,4 @@
/* $Id: minissdpd.c,v 1.50 2015/08/06 14:05:49 nanard Exp $ */
/* $Id: minissdpd.c,v 1.53 2016/03/01 18:06:46 nanard Exp $ */
/* vim: tabstop=4 shiftwidth=4 noexpandtab
* MiniUPnP project
* (c) 2007-2016 Thomas Bernard
@@ -847,7 +847,7 @@ void processRequest(struct reqelem * req)
type = buf[0];
p = buf + 1;
DECODELENGTH_CHECKLIMIT(l, p, buf + n);
if(p+l > buf+n) {
if(l > (unsigned)(buf+n-p)) {
syslog(LOG_WARNING, "bad request (length encoding l=%u n=%u)",
l, (unsigned)n);
goto error;
@@ -969,7 +969,7 @@ void processRequest(struct reqelem * req)
goto error;
}
DECODELENGTH_CHECKLIMIT(l, p, buf + n);
if(p+l > buf+n) {
if(l > (unsigned)(buf+n-p)) {
syslog(LOG_WARNING, "bad request (length encoding)");
goto error;
}
@@ -987,7 +987,7 @@ void processRequest(struct reqelem * req)
newserv->usn[l] = '\0';
p += l;
DECODELENGTH_CHECKLIMIT(l, p, buf + n);
if(p+l > buf+n) {
if(l > (unsigned)(buf+n-p)) {
syslog(LOG_WARNING, "bad request (length encoding)");
goto error;
}
@@ -1005,7 +1005,7 @@ void processRequest(struct reqelem * req)
newserv->server[l] = '\0';
p += l;
DECODELENGTH_CHECKLIMIT(l, p, buf + n);
if(p+l > buf+n) {
if(l > (unsigned)(buf+n-p)) {
syslog(LOG_WARNING, "bad request (length encoding)");
goto error;
}
@@ -1,4 +1,4 @@
/* $Id: testminissdpd.c,v 1.12 2015/08/06 13:16:59 nanard Exp $ */
/* $Id: testminissdpd.c,v 1.14 2016/03/01 17:49:51 nanard Exp $ */
/* Project : miniupnp
* website : http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/
* Author : Thomas BERNARD
@@ -65,6 +65,7 @@ main(int argc, char * * argv)
const char bad_command[] = { 0xff, 0xff };
const char overflow[] = { 0x01, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
const char command5[] = { 0x05, 0x00 };
const char bad_command4[] = { 0x04, 0x01, 0x60, 0x8f, 0xff, 0xff, 0xff, 0x7f};
int s;
int i;
void * tmp;
@@ -180,6 +181,15 @@ main(int argc, char * * argv)
n = read(s, buf, sizeof(buf));
printf("Response received %d bytes\n", (int)n);
printresponse(buf, n);
if(n == 0) {
close(s);
s = connect_unix_socket(sockpath);
}

n = SENDCOMMAND(bad_command4, sizeof(bad_command4));
n = read(s, buf, sizeof(buf));
printf("Response received %d bytes\n", (int)n);
printresponse(buf, n);

close(s);
return 0;

0 comments on commit b238cad

Please sign in to comment.
You can’t perform that action at this time.