From: Dragos Oancea <dragos@signalwire.com>
Date: Wed, 22 Jan 2020 18:31:49 +0000 (+0000)
Subject: [miniupnpc] fix heap-buffer-overflow reported by ASAN (on read)
X-Git-Tag: v1.10.3^2~253^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F257%2Fhead;p=thirdparty%2Ffreeswitch.git

[miniupnpc] fix heap-buffer-overflow reported by ASAN (on read)
---

diff --git a/libs/miniupnpc/minissdpc.c b/libs/miniupnpc/minissdpc.c
index aa939fb7fb..96133ff12f 100644
--- a/libs/miniupnpc/minissdpc.c
+++ b/libs/miniupnpc/minissdpc.c
@@ -46,7 +46,7 @@ getDevicesFromMiniSSDPD(const char * devtype, const char * socketpath)
 	unsigned char * p;
 	unsigned char * url;
 	unsigned int i;
-	unsigned int urlsize, stsize, usnsize, l;
+	unsigned int urlsize, stsize, usnsize, l, plen;
 	int s;
 	struct sockaddr_un addr;
 
@@ -58,7 +58,12 @@ getDevicesFromMiniSSDPD(const char * devtype, const char * socketpath)
 		return NULL;
 	}
 	addr.sun_family = AF_UNIX;
-	memcpy(addr.sun_path, socketpath, sizeof(addr.sun_path));
+	plen = strlen(socketpath);
+	if (plen + 1 > sizeof(addr.sun_path)) {
+		plen = sizeof(addr.sun_path) - 1;
+	}
+	memset(addr.sun_path, 0, sizeof(addr.sun_path));
+	memcpy(addr.sun_path, socketpath, plen);
 	if(connect(s, (struct sockaddr *)&addr, sizeof(struct sockaddr_un)) < 0)
 	{
 		/*syslog(LOG_WARNING, "connect(\"%s\"): %m", socketpath);*/