Using evaluation version of IBM Rational purify, I noticed a read of uninitialized memory and actually
beyond malloced area by memcpy() in CheckOtherHTTPHeaders() in
It seems that the particular memcpy is invoked only to a certain type of
sizeof(RespInstr->AcceptLanguageHeader) is larger then LINE_SIZE, and
sizeof(RespInstr->AcceptLanguageHeader) - 1);
could access memory area beyond allocated by malloc(LINE_SIZE) under
some circumstances. So we should allocate large enough buffer.
Noticed on a solaris 10 VM image. Funny, though, the other solaris 10
VM image on a different LAN didn't produce the bug.
This problem seems to be timing-related as well as depending on the
applications that issue UPnP SSDP packets.
I noticed "opera" string in the parsed packet when I saw the memory
read error detected by purify, but can't say for sure whether it had
something to do with opera. Funny, does browser have something to
Now I confirmed it. I used google to find "opera unite" which has
something to with UPnP for file/media sharing, etc., and it seems to
send UPNP SSDP packet that can trigger the bug.
I confirmed it by downloading opera browser and opera unite software
on my Windows PC. It uses UPnP to open port at 8840 and when it sends
packet to open the port, the receiving UPnP daemon causes the memcpy
under "case HDR_ACCEPT_LANGUAGE:" below to run and causes
uninitialized memory read.