Good morning,
It was pointed out in
https://bugzilla.redhat.com/show_bug.cgi?id=1085618 that miniupnpc
version 1.9 fixes a possible buffer overflow:
https://github.com/miniupnp/miniupnp/commit/3a87aa2f10bd7f1408e1849bdb59c41dd63a9fe9
I am not familiar with the code but it may be just a crash, with an
invalid read here (on line 131):
129 /* parse header lines */
130 for(i = 0; i < endofheaders - 1; i++) {
131 if(colon <= linestart &&
header_buf[i]==':')
Can a CVE be assigned if one has not been already?
On a related note, I'm not sure if there are other issues close by. For
example, in version 1.9, miniwget.c:
172 /* copy the remaining of the received data
back to buf */
173 n = header_buf_used - endofheaders;
174 memcpy(buf, header_buf + endofheaders, n);
n and endofheaders are signed ints, and header_buf_used is unsigned.
Mixing the types together (and the signed int in the memcpy) may warrant
further investigation.
Cheers,
--
Murray McAllister / Red Hat Security Response Team