On Fri, Jul 12, 2013 at 2:16 PM, <cyoung@xxxxxxxxxxxx> wrote: > ... > > This issue was addressed on April 26, 2013 as noted in the changelog: http://miniupnp.free.fr/files/changelog.php?file=miniupnpd-1.8.20130607.tar.gz > > 2013/04/26: > Correctly handle truncated snprintf() in SSDP code > > The problem is illustrated in the following code snippet: > Minissdp.c: > 203 static void SendSSDPAnnounce2(int s, struct sockaddr_in sockname, > 204 const char * st, int st_len, > 205 const char * host, unsigned short port) > 206 { > 207 int l, n; > 208 char buf[512]; > 209 /* TODO : > 210 * follow guideline from document "UPnP Device Architecture 1.0" > 211 * put in uppercase. > 212 * DATE: is recommended > 213 * SERVER: OS/ver UPnP/1.0 miniupnpd/1.0 > 214 * */ > 215 l = snprintf(buf, sizeof(buf), "HTTP/1.1 200 OK\r\n" > 216 "Cache-Control: max-age=120\r\n" > 217 "ST: %.*s\r\n" > 218 "USN: %s::%.*s\r\n" > 219 "EXT:\r\n" > 220 "Server: " MINIUPNPD_SERVER_STRING "\r\n" > 221 "Location: http://%s:%u"; ROOTDESC_PATH "\r\n" > 222 "\r\n", > 223 st_len, st, > 224 uuidvalue, st_len, st, > 225 host, (unsigned int)port); > 226 n = sendto(s, buf, l, 0, > 227 (struct sockaddr *)&sockname, sizeof(struct sockaddr_in) ); > 228 #if 0 //JM: Don't fill up syslog, even in error condition > 229 if(n<0) > 230 { > 231 syslog(LOG_ERR, "sendto: %m"); > 232 } > 233 #endif > 234 } > > > Notice that the sendto on line 226 is using the snprintf return value, l, from line 215 without considering whether l > sizeof(buf) as is the case when the buffer is truncated. Truncation occurs at l >= sizeof(buf) since because of the terminating NULL. Jeff
