/pidgin/main: ad7e7fb98db3: Fix a crash when receiving UPnP resp...
Mark Doliner
mark at kingant.net
Wed Feb 13 09:59:53 EST 2013
Changeset: ad7e7fb98db3bbd7bf9ab49072fd34cd4fa25dd9
Author: Mark Doliner <mark at kingant.net>
Date: 2013-02-11 01:13 -0800
Branch: release-2.x.y
URL: http://hg.pidgin.im/pidgin/main/rev/ad7e7fb98db3
Description:
Fix a crash when receiving UPnP responses with abnormally long values.
This is CVE-2013-0274.
The problem was detected by Coverity static analysis and fixed by
Daniel Atallah.
This should fix CIDs 731954, 731953, 731952, 731951, and 731950
diffstat:
ChangeLog | 2 ++
libpurple/upnp.c | 14 +++++++-------
2 files changed, 9 insertions(+), 7 deletions(-)
diffs (72 lines):
diff --git a/ChangeLog b/ChangeLog
--- a/ChangeLog
+++ b/ChangeLog
@@ -10,6 +10,8 @@ version 2.10.7 (02/13/2013):
--with-dynamic-prpls arguments. (Michael Fiedler) (#15316)
libpurple:
+ * Fix a crash when receiving UPnP responses with abnormally long values.
+ (CVE-2013-0274)
* Don't link directly to libgcrypt when building with GnuTLS support.
(Bartosz Brachaczek) (#15329)
* Fix UPnP mappings on routers that return empty <URLBase/> elements
diff --git a/libpurple/upnp.c b/libpurple/upnp.c
--- a/libpurple/upnp.c
+++ b/libpurple/upnp.c
@@ -409,7 +409,7 @@ upnp_parse_description_cb(PurpleUtilFetc
: PURPLE_UPNP_STATUS_UNABLE_TO_DISCOVER;
control_info.lookup_time = time(NULL);
control_info.control_url = control_url;
- strncpy(control_info.service_type, dd->service_type,
+ g_strlcpy(control_info.service_type, dd->service_type,
sizeof(control_info.service_type));
fire_discovery_callbacks(control_url != NULL);
@@ -601,9 +601,9 @@ purple_upnp_discover_send_broadcast(UPnP
sentSuccess = FALSE;
if((dd->retry_count % 2) == 0) {
- strncpy(dd->service_type, WAN_IP_CONN_SERVICE, sizeof(dd->service_type));
+ g_strlcpy(dd->service_type, WAN_IP_CONN_SERVICE, sizeof(dd->service_type));
} else {
- strncpy(dd->service_type, WAN_PPP_CONN_SERVICE, sizeof(dd->service_type));
+ g_strlcpy(dd->service_type, WAN_PPP_CONN_SERVICE, sizeof(dd->service_type));
}
sendMessage = g_strdup_printf(SEARCH_REQUEST_STRING, dd->service_type);
@@ -787,7 +787,7 @@ looked_up_public_ip_cb(PurpleUtilFetchUr
}
*temp2 = '\0';
- strncpy(control_info.publicip, temp + 1,
+ g_strlcpy(control_info.publicip, temp + 1,
sizeof(control_info.publicip));
purple_debug_info("upnp", "NAT Returned IP: %s\n", control_info.publicip);
@@ -822,7 +822,7 @@ static void
looked_up_internal_ip_cb(gpointer data, gint source, const gchar *error_message)
{
if (source != -1) {
- strncpy(control_info.internalip,
+ g_strlcpy(control_info.internalip,
purple_network_get_local_system_ip(source),
sizeof(control_info.internalip));
purple_debug_info("upnp", "Local IP: %s\n",
@@ -975,7 +975,7 @@ purple_upnp_set_port_mapping(unsigned sh
ar->cb_data = cb_data;
ar->add = TRUE;
ar->portmap = portmap;
- strncpy(ar->protocol, protocol, sizeof(ar->protocol));
+ g_strlcpy(ar->protocol, protocol, sizeof(ar->protocol));
/* If we're waiting for a discovery, add to the callbacks list */
if(control_info.status == PURPLE_UPNP_STATUS_DISCOVERING) {
@@ -1022,7 +1022,7 @@ purple_upnp_remove_port_mapping(unsigned
ar->cb_data = cb_data;
ar->add = FALSE;
ar->portmap = portmap;
- strncpy(ar->protocol, protocol, sizeof(ar->protocol));
+ g_strlcpy(ar->protocol, protocol, sizeof(ar->protocol));
/* If we're waiting for a discovery, add to the callbacks list */
if(control_info.status == PURPLE_UPNP_STATUS_DISCOVERING) {
More information about the Commits
mailing list