Security vulnerabilities and automated fixes for upnp issues
3 posts found
A critical heap buffer overflow vulnerability was discovered and patched in the SSDP control point implementation (`ssdp_ctrlpt.c`), where multiple unbounded `strcpy` and `strcat` operations constructed HTTP request buffers without any length validation. Network-received SSDP response fields — including service type strings and location URLs — could be crafted by an attacker to exceed buffer boundaries, potentially enabling arbitrary code execution or denial of service. The fix replaces the unsa
A critical buffer overflow vulnerability was discovered in the UPnP TV device sample code (`tv_device.c`), where unchecked `strcpy` calls allowed network-adjacent attackers to overflow fixed-size buffers with crafted UPnP discovery strings. The fix replaces unbounded string copies with length-checked alternatives (`strlcpy`/`snprintf`), closing a classic CWE-120 attack vector that required zero authentication to exploit.
A high-severity buffer overflow vulnerability (CWE-120) was discovered and patched in the UPnP TV control point sample code, where an unbounded `sprintf` call could allow a malicious device on the network to corrupt stack memory. The fix replaces the unsafe formatting call with a size-bounded alternative, preventing attackers from exploiting crafted UPnP responses to hijack program execution. This post breaks down how the attack works, what the fix looks like, and how you can audit your own C co