Fix a crash when receiving UPnP responses with abnormally long values.
This is CVE-2013-0274.
The problem was detected by Coverity static analysis and fixed by
Daniel Atallah.
This should fix CIDs 731954, 731953, 731952, 731951, and 731950
1.1 --- a/ChangeLog
1.2 +++ b/ChangeLog
1.3 @@ -10,6 +10,8 @@
1.4 --with-dynamic-prpls arguments. (Michael Fiedler) (#15316)
1.5
1.6 libpurple:
1.7 + * Fix a crash when receiving UPnP responses with abnormally long values.
1.8 + (CVE-2013-0274)
1.9 * Don't link directly to libgcrypt when building with GnuTLS support.
1.10 (Bartosz Brachaczek) (#15329)
1.11 * Fix UPnP mappings on routers that return empty <URLBase/> elements
2.1 --- a/libpurple/upnp.c
2.2 +++ b/libpurple/upnp.c
2.3 @@ -409,7 +409,7 @@
2.4 : PURPLE_UPNP_STATUS_UNABLE_TO_DISCOVER;
2.5 control_info.lookup_time = time(NULL);
2.6 control_info.control_url = control_url;
2.7 - strncpy(control_info.service_type, dd->service_type,
2.8 + g_strlcpy(control_info.service_type, dd->service_type,
2.9 sizeof(control_info.service_type));
2.10
2.11 fire_discovery_callbacks(control_url != NULL);
2.12 @@ -601,9 +601,9 @@
2.13 sentSuccess = FALSE;
2.14
2.15 if((dd->retry_count % 2) == 0) {
2.16 - strncpy(dd->service_type, WAN_IP_CONN_SERVICE, sizeof(dd->service_type));
2.17 + g_strlcpy(dd->service_type, WAN_IP_CONN_SERVICE, sizeof(dd->service_type));
2.18 } else {
2.19 - strncpy(dd->service_type, WAN_PPP_CONN_SERVICE, sizeof(dd->service_type));
2.20 + g_strlcpy(dd->service_type, WAN_PPP_CONN_SERVICE, sizeof(dd->service_type));
2.21 }
2.22
2.23 sendMessage = g_strdup_printf(SEARCH_REQUEST_STRING, dd->service_type);
2.24 @@ -787,7 +787,7 @@
2.25 }
2.26 *temp2 = '\0';
2.27
2.28 - strncpy(control_info.publicip, temp + 1,
2.29 + g_strlcpy(control_info.publicip, temp + 1,
2.30 sizeof(control_info.publicip));
2.31
2.32 purple_debug_info("upnp", "NAT Returned IP: %s\n", control_info.publicip);
2.33 @@ -822,7 +822,7 @@
2.34 looked_up_internal_ip_cb(gpointer data, gint source, const gchar *error_message)
2.35 {
2.36 if (source != -1) {
2.37 - strncpy(control_info.internalip,
2.38 + g_strlcpy(control_info.internalip,
2.39 purple_network_get_local_system_ip(source),
2.40 sizeof(control_info.internalip));
2.41 purple_debug_info("upnp", "Local IP: %s\n",
2.42 @@ -975,7 +975,7 @@
2.43 ar->cb_data = cb_data;
2.44 ar->add = TRUE;
2.45 ar->portmap = portmap;
2.46 - strncpy(ar->protocol, protocol, sizeof(ar->protocol));
2.47 + g_strlcpy(ar->protocol, protocol, sizeof(ar->protocol));
2.48
2.49 /* If we're waiting for a discovery, add to the callbacks list */
2.50 if(control_info.status == PURPLE_UPNP_STATUS_DISCOVERING) {
2.51 @@ -1022,7 +1022,7 @@
2.52 ar->cb_data = cb_data;
2.53 ar->add = FALSE;
2.54 ar->portmap = portmap;
2.55 - strncpy(ar->protocol, protocol, sizeof(ar->protocol));
2.56 + g_strlcpy(ar->protocol, protocol, sizeof(ar->protocol));
2.57
2.58 /* If we're waiting for a discovery, add to the callbacks list */
2.59 if(control_info.status == PURPLE_UPNP_STATUS_DISCOVERING) {