miniupnpd/upnphttp.c: fix buffer overrun in ParseHttpHeaders() if Con…

…tent-Length doesn't contain any digit Credits goes to Stephen Röttger of the Google Security Team for identifying the vulnerabilities
miniupnp · Dec 9, 2014 · dd39eca · dd39eca
1 parent e6bc04a
commit dd39eca
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 2 deletions.
diff --git a/miniupnpd/Changelog.txt b/miniupnpd/Changelog.txt
@@ -4,6 +4,7 @@ $Id: Changelog.txt,v 1.391 2014/12/09 09:48:04 nanard Exp $
   fix upnp_add_inboundpinhole() : check inet_pton() return
   fix upnp_redirect() : check inet_aton() return
   fix potential memory corruption in upnpsoap.c/GetListOfPortMappings()
+  fix buffer overrun in ParseHttpHeaders() if Content-Length doesn't contain any digit !
     Credits goes to Stephen Röttger of the Google Security Team for identifying
     the vulnerabilities
 

diff --git a/miniupnpd/upnphttp.c b/miniupnpd/upnphttp.c
@@ -1,4 +1,4 @@
-/* $Id: upnphttp.c,v 1.91 2014/04/09 14:08:12 nanard Exp $ */
+/* $Id: upnphttp.c,v 1.94 2014/12/09 09:46:45 nanard Exp $ */
 /* Project :  miniupnp
  * Website :  http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/
  * Author :   Thomas Bernard
@@ -223,7 +223,7 @@ ParseHttpHeaders(struct upnphttp * h)
 			if(strncasecmp(line, "Content-Length", 14)==0)
 			{
 				p = colon;
-				while(*p < '0' || *p > '9')
+				while((*p < '0' || *p > '9') && (*p != '\r') && (*p != '\n'))
 					p++;
 				h->req_contentlen = atoi(p);
 				if(h->req_contentlen < 0) {