http://sourceforge.net/p/pupnp/code/ci/0398b1fc75935f3b2053dbc305d1c5afcac4d749/ Directly use strdup() commit 0edaf3361db01425cae0daee7dc3f6039f381a17 replaced several malloc()+strcpy() sequences with memset()+strncpy() using strlen(). This doesn't improve security and introduced a bug URI handling. While reviewing this commit change the code to directly use strdup() instead of re-implementing it multiple times, as shortens the code and thus improves readability. Signed-off-by: Marcelo Roberto Jimenez <mroberto@users.sourceforge.net> (cherry picked from commit 04fb68432330c3a622161dda98dbe1b30eaa0927) --- a/upnp/src/gena/gena_device.c +++ b/upnp/src/gena/gena_device.c @@ -480,24 +480,19 @@ } *reference_count = 0; - UDN_copy = (char *)malloc(strlen(UDN) + 1); + UDN_copy = strdup(UDN); if (UDN_copy == NULL) { line = __LINE__; ret = UPNP_E_OUTOF_MEMORY; goto ExitFunction; } - servId_copy = (char *)malloc(strlen(servId) + 1); + servId_copy = strdup(servId); if (servId_copy == NULL) { line = __LINE__; ret = UPNP_E_OUTOF_MEMORY; goto ExitFunction; } - - memset(UDN_copy, 0, strlen(UDN) + 1); - strncpy(UDN_copy, UDN, strlen(UDN)); - memset(servId_copy, 0, strlen(servId) + 1); - strncpy(servId_copy, servId, strlen(servId)); HandleLock(); @@ -639,24 +634,19 @@ } *reference_count = 0; - UDN_copy = (char *)malloc(strlen(UDN) + 1); + UDN_copy = strdup(UDN); if (UDN_copy == NULL) { line = __LINE__; ret = UPNP_E_OUTOF_MEMORY; goto ExitFunction; } - servId_copy = (char *)malloc(strlen(servId) + 1); + servId_copy = strdup(servId); if( servId_copy == NULL ) { line = __LINE__; ret = UPNP_E_OUTOF_MEMORY; goto ExitFunction; } - - memset(UDN_copy, 0, strlen(UDN) + 1); - strncpy(UDN_copy, UDN, strlen(UDN)); - memset(servId_copy, 0, strlen(servId) + 1); - strncpy(servId_copy, servId, strlen(servId)); HandleLock(); @@ -798,24 +788,19 @@ } *reference_count = 0; - UDN_copy = (char *)malloc(strlen(UDN) + 1); + UDN_copy = strdup(UDN); if (UDN_copy == NULL) { line = __LINE__; ret = UPNP_E_OUTOF_MEMORY; goto ExitFunction; } - servId_copy = (char *)malloc(strlen(servId) + 1); + servId_copy = strdup(servId); if( servId_copy == NULL ) { line = __LINE__; ret = UPNP_E_OUTOF_MEMORY; goto ExitFunction; } - - memset(UDN_copy, 0, strlen(UDN) + 1); - strncpy(UDN_copy, UDN, strlen(UDN)); - memset(servId_copy, 0, strlen(servId) + 1); - strncpy(servId_copy, servId, strlen(servId)); propertySet = ixmlPrintNode((IXML_Node *)PropSet); if (propertySet == NULL) { @@ -944,24 +929,19 @@ } *reference_count = 0; - UDN_copy = (char *)malloc(strlen(UDN) + 1); + UDN_copy = strdup(UDN); if (UDN_copy == NULL) { line = __LINE__; ret = UPNP_E_OUTOF_MEMORY; goto ExitFunction; } - servId_copy = (char *)malloc(strlen(servId) + 1); + servId_copy = strdup(servId); if( servId_copy == NULL ) { line = __LINE__; ret = UPNP_E_OUTOF_MEMORY; goto ExitFunction; } - - memset(UDN_copy, 0, strlen(UDN) + 1); - strncpy(UDN_copy, UDN, strlen(UDN)); - memset(servId_copy, 0, strlen(servId) + 1); - strncpy(servId_copy, servId, strlen(servId)); ret = GeneratePropertySet(VarNames, VarValues, var_count, &propertySet); if (ret != XML_SUCCESS) { --- a/upnp/src/genlib/net/http/webserver.c +++ b/upnp/src/genlib/net/http/webserver.c @@ -795,11 +795,9 @@ Instr->ReadSendSize = FileLength; if (!ByteRangeSpecifier) return HTTP_BAD_REQUEST; - RangeInput = malloc(strlen(ByteRangeSpecifier) + 1); + RangeInput = strdup(ByteRangeSpecifier); if (!RangeInput) return HTTP_INTERNAL_SERVER_ERROR; - memset(RangeInput, 0, strlen(ByteRangeSpecifier) + 1); - strncpy(RangeInput, ByteRangeSpecifier, strlen(ByteRangeSpecifier)); /* CONTENT-RANGE: bytes 222-3333/4000 HTTP_PARTIAL_CONTENT */ if (StrStr(RangeInput, "bytes") == NULL || (Ptr = StrStr(RangeInput, "=")) == NULL) {