Control: reassign -1 libupnp 1:1.6.24 Control: retitle -1 libupnp: SEGV in upnp/src/genlib/net/http/httpreadwrite.c:1662 Control: affects -1 gmediarender
Hallo Uwe,
I'm reassigning this bug as I'm suspecting it in the recent release of libupnp,
after I had debugged it a bit.
The bug does not trigger in 1.6.22.
How to reproduce:
Install gmediarender and (as a DLNA/uPnP control point) gupnp-tools.
run gmediarender , eg. gmediarender --logfile=/dev/stdout and then the DLNA
controlpoint, e.g gupnp-av-cp
As soon as the the cp queries for the DLNA server, gmediarender crashes.
Debugging into it it segfaults in upnp/src/genlib/net/http/httpreadwrite.c:1662
deferencing a NULL pointer (extras being NULL); it is called from
upnp/src/genlib/net/http/webserver.c:1316; the relvant paremter is
"extra_headers", passed for the "E" command (its NULL)
Looking at the diff from 1.6.22 it looks like that this has been touched:
- before, extra_headers was a string and if NULL it would have been set to an
empty string ("" == '\0')
- now it is a struct which will be only allocated conditionally (line 1188 in
webserver.c). Otherwise it is NULL.
- before, it used command "s" not "E"...
Adding this patch:
--- a/upnp/src/genlib/net/http/webserver.c
+++ b/upnp/src/genlib/net/http/webserver.c
@@ -1296,6 +1296,12 @@
goto error_handler;
}
+ if (!extra_headers) {
+ extra_headers = (struct Extra_Headers*) malloc(sizeof(struct
Extra_Headers));
+ if (!extra_headers) goto error_handler;
+ extra_headers->name = NULL;
+ }
+
/* Check if chunked encoding should be used. */
if (using_virtual_dir && finfo.file_length == UPNP_USING_CHUNKED) {
/* Chunked encoding is only supported by HTTP 1.1 clients */
seems to fix the crash, but as soon after the assertion on httpreadwrite:1862
will trigger. It looks like that in line 1672 a "else" is missing to correctly
chain up the commands after the new "E" command:
--- a/upnp/src/genlib/net/http/httpreadwrite.c
+++ b/upnp/src/genlib/net/http/httpreadwrite.c
@@ -1668,8 +1668,7 @@
}
extras++;
}
- }
- if (c == 's') {
+ } else if (c == 's') {
/* C string */
s = (char *)va_arg(argp, char *);
assert(s);
When applying the patch (attached), gmediarender stops crashing.
However, I cannot say if my changes are sane at all, thus not tagging
"patch". (and also I neglected return code checking of malloc)
Let me know if you need some details!
Cheers,
tobi
--- a/upnp/src/genlib/net/http/webserver.c
+++ b/upnp/src/genlib/net/http/webserver.c
@@ -1296,6 +1296,12 @@
goto error_handler;
}
+ if (!extra_headers) {
+ extra_headers = (struct Extra_Headers*) malloc(sizeof(struct Extra_Headers));
+ if (!extra_headers) goto error_handler;
+ extra_headers->name = NULL;
+ }
+
/* Check if chunked encoding should be used. */
if (using_virtual_dir && finfo.file_length == UPNP_USING_CHUNKED) {
/* Chunked encoding is only supported by HTTP 1.1 clients */
--- a/upnp/src/genlib/net/http/httpreadwrite.c
+++ b/upnp/src/genlib/net/http/httpreadwrite.c
@@ -1668,8 +1668,7 @@
}
extras++;
}
- }
- if (c == 's') {
+ } else if (c == 's') {
/* C string */
s = (char *)va_arg(argp, char *);
assert(s);
signature.asc
Description: PGP signature
