Fix a crash when receiving UPnP responses with abnormally long values. release-2.x.y v2.10.7
authorMark Doliner <mark@kingant.net>
Mon, 11 Feb 2013 01:13:50 -0800
branchrelease-2.x.y
changesetad7e7fb98db3 pushlog
parent c31cf8de31cd
child b8c823f37692
Fix a crash when receiving UPnP responses with abnormally long values.


This is CVE-2013-0274.

The problem was detected by Coverity static analysis and fixed by
Daniel Atallah.

This should fix CIDs 731954, 731953, 731952, 731951, and 731950
ChangeLog
libpurple/upnp.c
     1.1 --- a/ChangeLog
     1.2 +++ b/ChangeLog
     1.3 @@ -10,6 +10,8 @@
     1.4  	  --with-dynamic-prpls arguments. (Michael Fiedler) (#15316)
     1.5  
     1.6  	libpurple:
     1.7 +	* Fix a crash when receiving UPnP responses with abnormally long values.
     1.8 +	  (CVE-2013-0274)
     1.9  	* Don't link directly to libgcrypt when building with GnuTLS support.
    1.10  	  (Bartosz Brachaczek) (#15329)
    1.11  	* Fix UPnP mappings on routers that return empty <URLBase/> elements
     2.1 --- a/libpurple/upnp.c
     2.2 +++ b/libpurple/upnp.c
     2.3 @@ -409,7 +409,7 @@
     2.4  		: PURPLE_UPNP_STATUS_UNABLE_TO_DISCOVER;
     2.5  	control_info.lookup_time = time(NULL);
     2.6  	control_info.control_url = control_url;
     2.7 -	strncpy(control_info.service_type, dd->service_type,
     2.8 +	g_strlcpy(control_info.service_type, dd->service_type,
     2.9  		sizeof(control_info.service_type));
    2.10  
    2.11  	fire_discovery_callbacks(control_url != NULL);
    2.12 @@ -601,9 +601,9 @@
    2.13  		sentSuccess = FALSE;
    2.14  
    2.15  		if((dd->retry_count % 2) == 0) {
    2.16 -			strncpy(dd->service_type, WAN_IP_CONN_SERVICE, sizeof(dd->service_type));
    2.17 +			g_strlcpy(dd->service_type, WAN_IP_CONN_SERVICE, sizeof(dd->service_type));
    2.18  		} else {
    2.19 -			strncpy(dd->service_type, WAN_PPP_CONN_SERVICE, sizeof(dd->service_type));
    2.20 +			g_strlcpy(dd->service_type, WAN_PPP_CONN_SERVICE, sizeof(dd->service_type));
    2.21  		}
    2.22  
    2.23  		sendMessage = g_strdup_printf(SEARCH_REQUEST_STRING, dd->service_type);
    2.24 @@ -787,7 +787,7 @@
    2.25  	}
    2.26  	*temp2 = '\0';
    2.27  
    2.28 -	strncpy(control_info.publicip, temp + 1,
    2.29 +	g_strlcpy(control_info.publicip, temp + 1,
    2.30  			sizeof(control_info.publicip));
    2.31  
    2.32  	purple_debug_info("upnp", "NAT Returned IP: %s\n", control_info.publicip);
    2.33 @@ -822,7 +822,7 @@
    2.34  looked_up_internal_ip_cb(gpointer data, gint source, const gchar *error_message)
    2.35  {
    2.36  	if (source != -1) {
    2.37 -		strncpy(control_info.internalip,
    2.38 +		g_strlcpy(control_info.internalip,
    2.39  			purple_network_get_local_system_ip(source),
    2.40  			sizeof(control_info.internalip));
    2.41  		purple_debug_info("upnp", "Local IP: %s\n",
    2.42 @@ -975,7 +975,7 @@
    2.43  	ar->cb_data = cb_data;
    2.44  	ar->add = TRUE;
    2.45  	ar->portmap = portmap;
    2.46 -	strncpy(ar->protocol, protocol, sizeof(ar->protocol));
    2.47 +	g_strlcpy(ar->protocol, protocol, sizeof(ar->protocol));
    2.48  
    2.49  	/* If we're waiting for a discovery, add to the callbacks list */
    2.50  	if(control_info.status == PURPLE_UPNP_STATUS_DISCOVERING) {
    2.51 @@ -1022,7 +1022,7 @@
    2.52  	ar->cb_data = cb_data;
    2.53  	ar->add = FALSE;
    2.54  	ar->portmap = portmap;
    2.55 -	strncpy(ar->protocol, protocol, sizeof(ar->protocol));
    2.56 +	g_strlcpy(ar->protocol, protocol, sizeof(ar->protocol));
    2.57  
    2.58  	/* If we're waiting for a discovery, add to the callbacks list */
    2.59  	if(control_info.status == PURPLE_UPNP_STATUS_DISCOVERING) {