libupnp-1.6.19: Fix CVE-2016-8863 [No upstream tracking] -- https://bugzilla.redhat.com/show_bug.cgi?id=1388771 gena_device: Fix out-of-bound access in create_url_list() If there is an invalid URL in URLS->buf after a valid one, uri_parse is called with out pointing after the allocated memory. As uri_parse writes to *out before returning an error the loop in create_url_list must be stopped early to prevent an out-of-bound access Upstream-Status: Backported [https://sourceforge.net/p/pupnp/code/ci/9c099c2923ab4d98530ab5204af1738be5bddba7] CVE: CVE-2016-8863 Signed-off-by: Andrej Valek Signed-off-by: Pascal Bach diff --git a/upnp/src/gena/gena_device.c b/upnp/src/gena/gena_device.c index 39edc0b..0fd60ad 100644 --- a/upnp/src/gena/gena_device.c +++ b/upnp/src/gena/gena_device.c @@ -1133,7 +1133,7 @@ static int create_url_list( /*! [out] . */ URL_list *out) { - size_t URLcount = 0; + size_t URLcount = 0, URLcount2 = 0; size_t i; int return_code = 0; uri_type temp; @@ -1175,16 +1175,23 @@ static int create_url_list( } memcpy( out->URLs, URLS->buff, URLS->size ); out->URLs[URLS->size] = 0; - URLcount = 0; for( i = 0; i < URLS->size; i++ ) { if( ( URLS->buff[i] == '<' ) && ( i + 1 < URLS->size ) ) { if( ( ( return_code = parse_uri( &out->URLs[i + 1], URLS->size - i + 1, - &out->parsedURLs[URLcount] ) ) == + &out->parsedURLs[URLcount2] ) ) == HTTP_SUCCESS ) - && ( out->parsedURLs[URLcount].hostport.text.size != + && ( out->parsedURLs[URLcount2].hostport.text.size != 0 ) ) { - URLcount++; + URLcount2++; + if (URLcount2 >= URLcount) + /* + * break early here in case there is a bogus URL that + * was skipped above. This prevents to access + * out->parsedURLs[URLcount] which is beyond the + * allocation. + */ + break; } else { if( return_code == UPNP_E_OUTOF_MEMORY ) { free( out->URLs );