[miniupnpc] fix heap-buffer-overflow reported by ASAN (on read)

author Dragos Oancea <dragos@signalwire.com>

Wed, 22 Jan 2020 18:31:49 +0000 (18:31 +0000)

committer Dragos Oancea <dragos@signalwire.com>

Wed, 22 Jan 2020 19:07:06 +0000 (19:07 +0000)
author Dragos Oancea <dragos@signalwire.com>
Wed, 22 Jan 2020 18:31:49 +0000 (18:31 +0000)
committer Dragos Oancea <dragos@signalwire.com>
Wed, 22 Jan 2020 19:07:06 +0000 (19:07 +0000)
diff --git a/libs/miniupnpc/minissdpc.c b/libs/miniupnpc/minissdpc.c

index aa939fb7fb27e9721429160da19329a7ec96c519..96133ff12fd242548fe2f92e234f73b32c9e8586 100644 (file)
--- a/libs/miniupnpc/minissdpc.c
+++ b/libs/miniupnpc/minissdpc.c
@@ -46,7 +46,7 @@ getDevicesFromMiniSSDPD(const char * devtype, const char * socketpath)
         unsigned char * p;
         unsigned char * url;
         unsigned int i;
-       unsigned int urlsize, stsize, usnsize, l;
+       unsigned int urlsize, stsize, usnsize, l, plen;
         int s;
         struct sockaddr_un addr;
  
@@ -58,7 +58,12 @@ getDevicesFromMiniSSDPD(const char * devtype, const char * socketpath)
                 return NULL;
         }
         addr.sun_family = AF_UNIX;
-       memcpy(addr.sun_path, socketpath, sizeof(addr.sun_path));
+       plen = strlen(socketpath);
+       if (plen + 1 > sizeof(addr.sun_path)) {
+               plen = sizeof(addr.sun_path) - 1;
+       }
+       memset(addr.sun_path, 0, sizeof(addr.sun_path));
+       memcpy(addr.sun_path, socketpath, plen);
         if(connect(s, (struct sockaddr *)&addr, sizeof(struct sockaddr_un)) < 0)
         {
                 /*syslog(LOG_WARNING, "connect(\"%s\"): %m", socketpath);*/
author	Dragos Oancea <dragos@signalwire.com>
	Wed, 22 Jan 2020 18:31:49 +0000 (18:31 +0000)
committer	Dragos Oancea <dragos@signalwire.com>
	Wed, 22 Jan 2020 19:07:06 +0000 (19:07 +0000)