(forwarded from a Debian user by Debian libupnp package maintainer, http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=353169\)
When using the UpnpSendActionAsync method (and possibly other Async methods), the SDK stores the URL for the action in a struct UpnpNonblockParam. This has a fixed length array for storing the action URL of 100 characters. Some UPNP servers routinely generate control URLs longer than 100 characters:
at src/api/upnpapi.c:2694, the SDK then proceeds to strcpy the control URL to the Param struct, resulting in stack-overwritey-badness.
Our user provided a patch (attached) and adds:
Please find attached a patch which goes some way to fixing this issue. I've only tested it in my current configuration, so I don't know how this impacts the webserver. I've had to introduce two new functions to free structures that may be returned by the framework. Not sure how necessary they are, as I think mostly it frees up what it gives you.
Log in to post a comment.