Skip to content

String handling fixes #157

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
miniupnp merged 2 commits into from
Oct 26, 2015
Merged

String handling fixes #157

miniupnp merged 2 commits into from
Oct 26, 2015

Conversation

@laanwj
Copy link
Contributor

@laanwj laanwj commented Oct 25, 2015

I found these bugs during a security audit of miniupnpc in the context of TALOS-2015-0035 in Bitcoin Core, and tried to fix them.

Neither of these are remote vulnerabilities, as they are triggered by input from the application not from the network. However they lead to exposure of memory contents or stack overflows when used as part of a multi-pronged exploit.

  • Check return value of snprintf: snprintf on Linux returns the number of characters that would have been written if there was enough space in the buffer. Return an error condition if space was not sufficient.
  • Account exactly for bytes when building buffer in simpleUPnPcommand2. The margin of 100 is not guaranteed to always be enough. When long parameters are passed in, it was possible to overflow the buffer.

laanwj added 2 commits October 25, 2015 21:13
@laanwj
Check snprintf result
4c90b87 
Verify that the buffer size was large enough to write the output,
raise an error condition if not.
@laanwj
More accurate checking while writing buffer in simpleUPnPcommand2
fb02299 
Account exactly for bytes when building buffer in simpleUPnPcommand2.
The margin of 100 is not guaranteed to always be enough. When long
parameters are passed in, it was possible to overflow the buffer.
@laanwj
Copy link
Contributor Author

laanwj commented Oct 25, 2015

Can't explain the appveyor CI error, looks like a build system issue, but this change does not touch the build system:

sh: C:\Program: No such file or directory
Makefile.mingw:49: recipe for target 'miniupnpc.lib' failed
mingw32-make: *** [miniupnpc.lib] Error 127
Command exited with code 2

@miniupnp
Copy link
Owner

miniupnp commented Oct 26, 2015

I fixed the AppVeyor script

@miniupnp miniupnp merged commit fb02299 into miniupnp:master Oct 26, 2015
miniupnp added a commit that referenced this pull request Oct 26, 2015
@miniupnp
Merge branch '2015_10_strprintf_fixes'
3c18a3e 
see PR #157 : String handling fixes
@fanquake fanquake mentioned this pull request Nov 10, 2015
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@laanwj @miniupnp