Fix a crash when receiving UPnP responses with abnormally long values. release-2.x.y v2.10.7
authorMark Doliner <mark@kingant.net>
Mon, 11 Feb 2013 01:13:50 -0800
branchrelease-2.x.y
changesetad7e7fb98db3 pushlog
parent c31cf8de31cd
child b8c823f37692
Fix a crash when receiving UPnP responses with abnormally long values.


This is CVE-2013-0274.

The problem was detected by Coverity static analysis and fixed by
Daniel Atallah.

This should fix CIDs 731954, 731953, 731952, 731951, and 731950
ChangeLog
libpurple/upnp.c
      1.1 --- a/ChangeLog
      1.2 +++ b/ChangeLog
      1.3 @@ -10,6 +10,8 @@
      1.4  	  --with-dynamic-prpls arguments. (Michael Fiedler) (#15316)
      1.5  
      1.6  	libpurple:
      1.7 +	* Fix a crash when receiving UPnP responses with abnormally long values.
      1.8 +	  (CVE-2013-0274)
      1.9  	* Don't link directly to libgcrypt when building with GnuTLS support.
     1.10  	  (Bartosz Brachaczek) (#15329)
     1.11  	* Fix UPnP mappings on routers that return empty <URLBase/> elements
      2.1 --- a/libpurple/upnp.c
      2.2 +++ b/libpurple/upnp.c
      2.3 @@ -409,7 +409,7 @@
      2.4  		: PURPLE_UPNP_STATUS_UNABLE_TO_DISCOVER;
      2.5  	control_info.lookup_time = time(NULL);
      2.6  	control_info.control_url = control_url;
      2.7 -	strncpy(control_info.service_type, dd->service_type,
      2.8 +	g_strlcpy(control_info.service_type, dd->service_type,
      2.9  		sizeof(control_info.service_type));
     2.10  
     2.11  	fire_discovery_callbacks(control_url != NULL);
     2.12 @@ -601,9 +601,9 @@
     2.13  		sentSuccess = FALSE;
     2.14  
     2.15  		if((dd->retry_count % 2) == 0) {
     2.16 -			strncpy(dd->service_type, WAN_IP_CONN_SERVICE, sizeof(dd->service_type));
     2.17 +			g_strlcpy(dd->service_type, WAN_IP_CONN_SERVICE, sizeof(dd->service_type));
     2.18  		} else {
     2.19 -			strncpy(dd->service_type, WAN_PPP_CONN_SERVICE, sizeof(dd->service_type));
     2.20 +			g_strlcpy(dd->service_type, WAN_PPP_CONN_SERVICE, sizeof(dd->service_type));
     2.21  		}
     2.22  
     2.23  		sendMessage = g_strdup_printf(SEARCH_REQUEST_STRING, dd->service_type);
     2.24 @@ -787,7 +787,7 @@
     2.25  	}
     2.26  	*temp2 = '\0';
     2.27  
     2.28 -	strncpy(control_info.publicip, temp + 1,
     2.29 +	g_strlcpy(control_info.publicip, temp + 1,
     2.30  			sizeof(control_info.publicip));
     2.31  
     2.32  	purple_debug_info("upnp", "NAT Returned IP: %s\n", control_info.publicip);
     2.33 @@ -822,7 +822,7 @@
     2.34  looked_up_internal_ip_cb(gpointer data, gint source, const gchar *error_message)
     2.35  {
     2.36  	if (source != -1) {
     2.37 -		strncpy(control_info.internalip,
     2.38 +		g_strlcpy(control_info.internalip,
     2.39  			purple_network_get_local_system_ip(source),
     2.40  			sizeof(control_info.internalip));
     2.41  		purple_debug_info("upnp", "Local IP: %s\n",
     2.42 @@ -975,7 +975,7 @@
     2.43  	ar->cb_data = cb_data;
     2.44  	ar->add = TRUE;
     2.45  	ar->portmap = portmap;
     2.46 -	strncpy(ar->protocol, protocol, sizeof(ar->protocol));
     2.47 +	g_strlcpy(ar->protocol, protocol, sizeof(ar->protocol));
     2.48  
     2.49  	/* If we're waiting for a discovery, add to the callbacks list */
     2.50  	if(control_info.status == PURPLE_UPNP_STATUS_DISCOVERING) {
     2.51 @@ -1022,7 +1022,7 @@
     2.52  	ar->cb_data = cb_data;
     2.53  	ar->add = FALSE;
     2.54  	ar->portmap = portmap;
     2.55 -	strncpy(ar->protocol, protocol, sizeof(ar->protocol));
     2.56 +	g_strlcpy(ar->protocol, protocol, sizeof(ar->protocol));
     2.57  
     2.58  	/* If we're waiting for a discovery, add to the callbacks list */
     2.59  	if(control_info.status == PURPLE_UPNP_STATUS_DISCOVERING) {