Attachment 667154 Details for Bug 883790 – Patch for VU#922681 against libupnp 1.8 branch

[patch] Patch for VU#922681 against libupnp 1.8 branch

0001-Security-fix-for-CERT-issue-VU-922681.branch-1.8.patch (text/plain), 4.62 KB, created by Jan Lieskovsky on 2012-12-21 10:15:17 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Jan Lieskovsky

Created: 2012-12-21 10:15:17 UTC

Size: 4.62 KB

patch

obsolete

>This patch addresses three possible buffer overflows in function
>unique_service_name(). The three issues have the folowing CVE
>numbers:
>
>CVE-2012-5958 Issue #2: Stack buffer overflow of Tempbuf
>CVE-2012-5959 Issue #4: Stack buffer overflow of Event->UDN
>CVE-2012-5960 Issue #8: Stack buffer overflow of Event->UDN
>
>Notice that the following issues have already been dealt by previous
>work:
>
>CVE-2012-5961 Issue #1: Stack buffer overflow of Evt->UDN
>CVE-2012-5962 Issue #3: Stack buffer overflow of Evt->DeviceType
>CVE-2012-5963 Issue #5: Stack buffer overflow of Event->UDN
>CVE-2012-5964 Issue #6: Stack buffer overflow of Event->DeviceType
>CVE-2012-5965 Issue #7: Stack buffer overflow of Event->DeviceType
>(cherry picked from commit f015a132e82239cbf40dcb2346d7bee83685531b)
>---
> ChangeLog                   |   20 ++++++++++++++++++++
> upnp/src/ssdp/ssdp_server.c |   18 ++++++++++--------
> 2 files changed, 30 insertions(+), 8 deletions(-)
>
>diff --git a/ChangeLog b/ChangeLog
>index d3ba399..0d08ebb 100644
>--- a/ChangeLog
>+++ b/ChangeLog
>@@ -349,6 +349,26 @@ Version 1.8.0
> Version 1.6.18
> *******************************************************************************
> 
>+2012-12-06 Marcelo Roberto Jimenez <mroberto(at)users.sourceforge.net>
>+
>+	Security fix for CERT issue VU#922681
>+
>+	This patch addresses three possible buffer overflows in function
>+	unique_service_name(). The three issues have the folowing CVE numbers:
>+
>+	CVE-2012-5958 Issue #2: Stack buffer overflow of Tempbuf
>+	CVE-2012-5959 Issue #4: Stack buffer overflow of Event->UDN
>+	CVE-2012-5960 Issue #8: Stack buffer overflow of Event->UDN
>+
>+	Notice that the following issues have already been dealt by previous
>+	work:
>+
>+	CVE-2012-5961 Issue #1: Stack buffer overflow of Evt->UDN
>+	CVE-2012-5962 Issue #3: Stack buffer overflow of Evt->DeviceType
>+	CVE-2012-5963 Issue #5: Stack buffer overflow of Event->UDN
>+	CVE-2012-5964 Issue #6: Stack buffer overflow of Event->DeviceType
>+	CVE-2012-5965 Issue #7: Stack buffer overflow of Event->DeviceType
>+
> 2012-06-19 Yoichi NAKAYAMA <yoichi.nakayama(at)gmail.com>
> 
> 	Fix memory leak and access violation in UpnpSendAction(Ex)Async.
>diff --git a/upnp/src/ssdp/ssdp_server.c b/upnp/src/ssdp/ssdp_server.c
>index 231c2c5..8a57d08 100644
>--- a/upnp/src/ssdp/ssdp_server.c
>+++ b/upnp/src/ssdp/ssdp_server.c
>@@ -467,16 +467,16 @@ int unique_service_name(char *cmd, SsdpEvent *Evt)
> 		else
> 			return -1;
> 		if (ptr3 != NULL) {
>-			if (strlen("uuid:") + strlen(ptr3 + 1) >= sizeof(Evt->UDN))
>+			if (strlen("uuid:") + strlen(ptr3 + 1) >= sizeof Evt->UDN)
> 				return -1;
>-			snprintf(Evt->UDN, sizeof(Evt->UDN), "uuid:%s",
>-				ptr3 + 1);
>+			snprintf(Evt->UDN, sizeof Evt->UDN, "uuid:%s", ptr3 + 1);
> 		}
> 		else
> 			return -1;
> 		ptr1 = strstr(cmd, ":");
> 		if (ptr1 != NULL) {
> 			n = (size_t)ptr3 - (size_t)ptr1;
>+			n = n >= sizeof TempBuf ? sizeof TempBuf - 1 : n;
> 			strncpy(TempBuf, ptr1, n);
> 			TempBuf[n] = '\0';
> 			if (strlen("urn") + strlen(TempBuf) >= sizeof(Evt->DeviceType))
>@@ -490,27 +490,28 @@ int unique_service_name(char *cmd, SsdpEvent *Evt)
> 	if ((TempPtr = strstr(cmd, "uuid")) != NULL) {
> 		if ((Ptr = strstr(cmd, "::")) != NULL) {
> 			n = (size_t)Ptr - (size_t)TempPtr;
>+			n = n >= sizeof Evt->UDN ? sizeof Evt->UDN - 1 : n;
> 			strncpy(Evt->UDN, TempPtr, n);
> 			Evt->UDN[n] = '\0';
> 		} else {
> 			memset(Evt->UDN, 0, sizeof(Evt->UDN));
>-			strncpy(Evt->UDN, TempPtr, sizeof(Evt->UDN) - 1);
>+			strncpy(Evt->UDN, TempPtr, sizeof Evt->UDN - 1);
> 		}
> 		CommandFound = 1;
> 	}
> 	if (strstr(cmd, "urn:") != NULL && strstr(cmd, ":service:") != NULL) {
> 		if ((TempPtr = strstr(cmd, "urn")) != NULL) {
>-			memset(Evt->ServiceType, 0, sizeof(Evt->ServiceType));
>+			memset(Evt->ServiceType, 0, sizeof Evt->ServiceType);
> 			strncpy(Evt->ServiceType, TempPtr,
>-				sizeof(Evt->ServiceType) - 1);
>+				sizeof Evt->ServiceType - 1);
> 			CommandFound = 1;
> 		}
> 	}
> 	if (strstr(cmd, "urn:") != NULL && strstr(cmd, ":device:") != NULL) {
> 		if ((TempPtr = strstr(cmd, "urn")) != NULL) {
>-			memset(Evt->DeviceType, 0, sizeof(Evt->DeviceType));
>+			memset(Evt->DeviceType, 0, sizeof Evt->DeviceType);
> 			strncpy(Evt->DeviceType, TempPtr,
>-				sizeof(Evt->DeviceType) - 1);
>+				sizeof Evt->DeviceType - 1);
> 			CommandFound = 1;
> 		}
> 	}
>@@ -518,6 +519,7 @@ int unique_service_name(char *cmd, SsdpEvent *Evt)
> 		/* Everything before "::upnp::rootdevice" is the UDN. */
> 		if (TempPtr != cmd) {
> 			n = (size_t)TempPtr - (size_t)cmd;
>+			n = n >= sizeof Evt->UDN ? sizeof Evt->UDN - 1 : n;
> 			strncpy(Evt->UDN, cmd, n);
> 			Evt->UDN[n] = 0;
> 			CommandFound = 1;
>-- 
>1.7.7
>

Actions: View | Diff

Attachments on bug 883790: 667153 | 667154