changeset
Fix a crash when receiving UPnP responses with abnormally long values.
Mon, 11 Feb 2013 01:13:50 -0800
- author
- Mark Doliner <mark@kingant.net>
- date
- Mon, 11 Feb 2013 01:13:50 -0800
- branch
- release-2.x.y
- changeset 33746
- ad7e7fb98db3
- parent 33745
- c31cf8de31cd
- child 33747
- b8c823f37692
Fix a crash when receiving UPnP responses with abnormally long values.
This is CVE-2013-0274.
The problem was detected by Coverity static analysis and fixed by
Daniel Atallah.
This should fix CIDs 731954, 731953, 731952, 731951, and 731950
| ChangeLog | file | annotate | diff | comparison | revisions | |
| libpurple/upnp.c | file | annotate | diff | comparison | revisions |
--- a/ChangeLog Mon Feb 11 01:11:47 2013 -0800 +++ b/ChangeLog Mon Feb 11 01:13:50 2013 -0800 @@ -10,6 +10,8 @@ --with-dynamic-prpls arguments. (Michael Fiedler) (#15316) libpurple: + * Fix a crash when receiving UPnP responses with abnormally long values. + (CVE-2013-0274) * Don't link directly to libgcrypt when building with GnuTLS support. (Bartosz Brachaczek) (#15329) * Fix UPnP mappings on routers that return empty <URLBase/> elements
--- a/libpurple/upnp.c Mon Feb 11 01:11:47 2013 -0800 +++ b/libpurple/upnp.c Mon Feb 11 01:13:50 2013 -0800 @@ -409,7 +409,7 @@ : PURPLE_UPNP_STATUS_UNABLE_TO_DISCOVER; control_info.lookup_time = time(NULL); control_info.control_url = control_url; - strncpy(control_info.service_type, dd->service_type, + g_strlcpy(control_info.service_type, dd->service_type, sizeof(control_info.service_type)); fire_discovery_callbacks(control_url != NULL); @@ -601,9 +601,9 @@ sentSuccess = FALSE; if((dd->retry_count % 2) == 0) { - strncpy(dd->service_type, WAN_IP_CONN_SERVICE, sizeof(dd->service_type)); + g_strlcpy(dd->service_type, WAN_IP_CONN_SERVICE, sizeof(dd->service_type)); } else { - strncpy(dd->service_type, WAN_PPP_CONN_SERVICE, sizeof(dd->service_type)); + g_strlcpy(dd->service_type, WAN_PPP_CONN_SERVICE, sizeof(dd->service_type)); } sendMessage = g_strdup_printf(SEARCH_REQUEST_STRING, dd->service_type); @@ -787,7 +787,7 @@ } *temp2 = '\0'; - strncpy(control_info.publicip, temp + 1, + g_strlcpy(control_info.publicip, temp + 1, sizeof(control_info.publicip)); purple_debug_info("upnp", "NAT Returned IP: %s\n", control_info.publicip); @@ -822,7 +822,7 @@ looked_up_internal_ip_cb(gpointer data, gint source, const gchar *error_message) { if (source != -1) { - strncpy(control_info.internalip, + g_strlcpy(control_info.internalip, purple_network_get_local_system_ip(source), sizeof(control_info.internalip)); purple_debug_info("upnp", "Local IP: %s\n", @@ -975,7 +975,7 @@ ar->cb_data = cb_data; ar->add = TRUE; ar->portmap = portmap; - strncpy(ar->protocol, protocol, sizeof(ar->protocol)); + g_strlcpy(ar->protocol, protocol, sizeof(ar->protocol)); /* If we're waiting for a discovery, add to the callbacks list */ if(control_info.status == PURPLE_UPNP_STATUS_DISCOVERING) { @@ -1022,7 +1022,7 @@ ar->cb_data = cb_data; ar->add = FALSE; ar->portmap = portmap; - strncpy(ar->protocol, protocol, sizeof(ar->protocol)); + g_strlcpy(ar->protocol, protocol, sizeof(ar->protocol)); /* If we're waiting for a discovery, add to the callbacks list */ if(control_info.status == PURPLE_UPNP_STATUS_DISCOVERING) {
