multiple flaws in minissdpd

[Kees Cook <kees () ubuntu com>]

Hi!

I recently did an audit[1] of minissdpd for Ubuntu, and found a lot of issues,
unfortunately. There may be more hiding that I didn't notice, but here
are the security bits of my notes:


Denial of Service:

- off-by-one in packet parsing can trigger crashes on unluckily alignment
    minissdpd.c line ~290

- walk off end of memory without length check in "cache-control" packet
    minissdpd.c line ~314

- some unchecked malloc uses could lead to crash

- does not clean up /var/run files on crash


Corruption, possible manipulation of responses:

- linefeed injection in service requests

- unchecked write lengths (could get interrupted, lead to corruption)


Memory corruption, with execution control likely:

- multiple buffer overflows in processRequest
    - unchecked decoded lengths
    - unchecked buffer creation length
    - integer overflows in decoded lengths
    - write null byte arbitrarily in heap
    - could read stack memory out on requests (including canary if OS
      used stack protector canary that wasn't null-started). e.g.:
      - add bogus service with giant coded-length "location" entry
      - read back with type==1 and matching "st"


General Safety:

- does not drop privileges


Hopefully all of this can get fixed up, it looks like a useful service. :)

Thanks,

-Kees

[1] https://bugs.launchpad.net/ubuntu/+source/minissdpd/+bug/813313

-- 
Kees Cook
Ubuntu Security Team