<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[126547] trunk/dports/devel/libupnp</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="https://trac.macports.org/changeset/126547">126547</a></dd>
<dt>Author</dt> <dd>ctreleaven@macports.org</dd>
<dt>Date</dt> <dd>2014-10-11 18:01:19 -0700 (Sat, 11 Oct 2014)</dd>
</dl>
<h3>Log Message</h3>
<pre>libupnp: update to 1.6.19, claim maintainership, add security-related patches, fixes #42647</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkdportsdevellibupnpPortfile">trunk/dports/devel/libupnp/Portfile</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li>trunk/dports/devel/libupnp/files/</li>
<li><a href="#trunkdportsdevellibupnpfilespatchFixgetaddrinfoloopdiff">trunk/dports/devel/libupnp/files/patch-Fix-getaddrinfo-loop.diff</a></li>
<li><a href="#trunkdportsdevellibupnpfilespatchFixresolve_rel_urldiff">trunk/dports/devel/libupnp/files/patch-Fix-resolve_rel_url.diff</a></li>
<li><a href="#trunkdportsdevellibupnpfilespatchFix_broken_strncatdiff">trunk/dports/devel/libupnp/files/patch-Fix_broken_strncat.diff</a></li>
<li><a href="#trunkdportsdevellibupnpfilespatchdirectly_use_strdupdiff">trunk/dports/devel/libupnp/files/patch-directly_use_strdup.diff</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkdportsdevellibupnpPortfile"></a>
<div class="modfile"><h4>Modified: trunk/dports/devel/libupnp/Portfile (126546 => 126547)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/dports/devel/libupnp/Portfile 2014-10-12 00:38:36 UTC (rev 126546)
+++ trunk/dports/devel/libupnp/Portfile 2014-10-12 01:01:19 UTC (rev 126547)
</span><span class="lines">@@ -4,11 +4,11 @@
</span><span class="cx"> PortSystem 1.0
</span><span class="cx">
</span><span class="cx"> name libupnp
</span><del>-version 1.6.6
</del><ins>+version 1.6.19
</ins><span class="cx"> categories devel
</span><span class="cx"> platforms darwin
</span><del>-maintainers nomaintainer
-description A portable open source UPnP development kit
</del><ins>+maintainers ctreleaven openmaintainer
+description portable open source UPnP development kit
</ins><span class="cx"> long_description \
</span><span class="cx"> The portable SDK for UPnP(tm) Devices (libupnp) provides developers with \
</span><span class="cx"> an API and open source code for building control points, devices, and \
</span><span class="lines">@@ -18,10 +18,20 @@
</span><span class="cx">
</span><span class="cx"> homepage http://pupnp.sourceforge.net
</span><span class="cx"> master_sites sourceforge:pupnp
</span><ins>+# tried to Avoid Redirects but uri contains %20 character ?!?
</ins><span class="cx"> use_bzip2 yes
</span><del>-checksums md5 8918dcf7428cd119d0c8275765ff2833 \
- sha1 24c2c349cb52ed3d62121fbdae205c8d9dc0f5fa \
- rmd160 25ff0390793cfa48cca32a335b4d633283b1fe64
</del><ins>+checksums md5 ee16e5d33a3ea7506f38d71facc057dd \
+ sha1 ee9e16ff42808521b62b7fc664fc9cba479ede88 \
+ rmd160 9879bc7e2e31b50b36ca752c70a00b3abc6de23f
</ins><span class="cx">
</span><ins>+# Following 4 patches fix security faults - http://sourceforge.net/p/pupnp/bugs/122/
+patchfiles patch-Fix_broken_strncat.diff \
+ patch-directly_use_strdup.diff \
+ patch-Fix-getaddrinfo-loop.diff \
+ patch-Fix-resolve_rel_url.diff
+
+configure.args-append \
+ --enable-ipv6
+
</ins><span class="cx"> livecheck.url http://sourceforge.net/projects/pupnp/files/pupnp/
</span><span class="cx"> livecheck.regex "title=\\\"libUPnP (\\d+(?:\\.\\d+)*)"
</span></span></pre></div>
<a id="trunkdportsdevellibupnpfilespatchFixgetaddrinfoloopdiff"></a>
<div class="addfile"><h4>Added: trunk/dports/devel/libupnp/files/patch-Fix-getaddrinfo-loop.diff (0 => 126547)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/dports/devel/libupnp/files/patch-Fix-getaddrinfo-loop.diff (rev 0)
+++ trunk/dports/devel/libupnp/files/patch-Fix-getaddrinfo-loop.diff 2014-10-12 01:01:19 UTC (rev 126547)
</span><span class="lines">@@ -0,0 +1,47 @@
</span><ins>+>From 2dd10ef70c1cb36748b04c5d9425e4b511ece969 Mon Sep 17 00:00:00 2001
+From: Fabrice Fontaine <fabrice.fontaine@orange.com>
+Date: Wed, 14 Mar 2012 22:37:10 +0100
+Subject: [PATCH 1/6] Fix getaddrinfo() loop
+
+Commit b116d10f did the following change:
+ Use switch, int and sa_family_t with AF_INET in uri.c.
+
+This breaks when getaddrinfo() only returns a single record, as in that
+case the "break" only exits the switch statement and the loop-step
+"res=res->ai_next" is still executed. After that "res == NULL" is
+wrongly interpreted as not having found an AF_INET or AF_INET6 address.
+---
+ upnp/src/genlib/net/uri/uri.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/upnp/src/genlib/net/uri/uri.c b/upnp/src/genlib/net/uri/uri.c
+index dff0c96..96b2a32 100644
+--- upnp/src/genlib/net/uri/uri.c
++++ upnp/src/genlib/net/uri/uri.c
+@@ -387,7 +387,7 @@ static int parse_hostport(
+
+ ret = getaddrinfo(srvname, NULL, &hints, &res0);
+ if (ret == 0) {
+- for (res = res0; res && !ret; res = res->ai_next) {
++ for (res = res0; res; res = res->ai_next) {
+ switch (res->ai_family) {
+ case AF_INET:
+ case AF_INET6:
+@@ -395,12 +395,10 @@ static int parse_hostport(
+ memcpy(&out->IPaddress,
+ res->ai_addr,
+ res->ai_addrlen);
+- ret=1;
+- break;
+- default:
+- break;
++ goto found;
+ }
+ }
++found:
+ freeaddrinfo(res0);
+ if (res == NULL)
+ /* Didn't find an AF_INET or AF_INET6 address. */
+--
+2.0.0.rc0
+
</ins></span></pre></div>
<a id="trunkdportsdevellibupnpfilespatchFixresolve_rel_urldiff"></a>
<div class="addfile"><h4>Added: trunk/dports/devel/libupnp/files/patch-Fix-resolve_rel_url.diff (0 => 126547)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/dports/devel/libupnp/files/patch-Fix-resolve_rel_url.diff (rev 0)
+++ trunk/dports/devel/libupnp/files/patch-Fix-resolve_rel_url.diff 2014-10-12 01:01:19 UTC (rev 126547)
</span><span class="lines">@@ -0,0 +1,239 @@
</span><ins>+>From 2869c6f33d7333bed7ec39b201a1d9171c4fc0b2 Mon Sep 17 00:00:00 2001
+From: Philipp Matthias Hahn <pmhahn@pmhahn.de>
+Date: Thu, 1 May 2014 10:41:20 +0200
+Subject: [PATCH 4/6] Fix resolve_rel_url()
+
+This reworks commit 0edaf3361db01425cae0daee7dc3f6039f381a17, which
+broke resolving relative url, where the relative URL is shorter than the
+absolute URL:
+ "http://127.0.0.1:6544/getDeviceDesc" + "CDS_Event"
+ Wrong: "http://127.0.0.1:6544/CDS_EventDesc"
+ Right: "http://127.0.0.1:6544/CDS_Event"
+
+While reviewing that commit, improve code by:
+1. Move the simple cases to the beginning of the function.
+2. Keep track of the remaining target buffer size.
+3. Fix URI concatenation with queries.
+4. Fix URI concatenation with fragments.
+---
+ upnp/src/genlib/net/uri/uri.c | 192 +++++++++++++++++++++---------------------
+ 1 file changed, 95 insertions(+), 97 deletions(-)
+
+diff --git a/upnp/src/genlib/net/uri/uri.c b/upnp/src/genlib/net/uri/uri.c
+index 96b2a32..827693f 100644
+--- upnp/src/genlib/net/uri/uri.c
++++ upnp/src/genlib/net/uri/uri.c
+@@ -580,115 +580,113 @@ char *resolve_rel_url(char *base_url, char *rel_url)
+ {
+ uri_type base;
+ uri_type rel;
++ int rv;
+
+- size_t i = (size_t)0;
+- char *finger = NULL;
+-
+- char *last_slash = NULL;
+-
+- char *out = NULL;
+-
+- if( base_url && rel_url ) {
+- out =
+- ( char * )malloc( strlen( base_url ) + strlen( rel_url ) + (size_t)2 );
+- } else {
+- if( rel_url )
+- return strdup( rel_url );
+- else
++ if (!base_url) {
++ if (!rel_url)
+ return NULL;
++ return strdup(rel_url);
+ }
+
+- if( out == NULL ) {
++ size_t len_rel = strlen(rel_url);
++ if (parse_uri(rel_url, len_rel, &rel) != HTTP_SUCCESS)
+ return NULL;
+- }
+- memset( out, 0, strlen( base_url ) + strlen( rel_url ) + (size_t)2 );
++ if (rel.type == (enum uriType)ABSOLUTE)
++ return strdup(rel_url);
+
+- if( ( parse_uri( rel_url, strlen( rel_url ), &rel ) ) == HTTP_SUCCESS ) {
+-
+- if( rel.type == ( enum uriType) ABSOLUTE ) {
+-
+- strncpy( out, rel_url, strlen ( rel_url ) );
+- } else {
++ size_t len_base = strlen(base_url);
++ if ((parse_uri(base_url, len_base, &base) != HTTP_SUCCESS)
++ || (base.type != (enum uriType)ABSOLUTE))
++ return NULL;
++ if (len_rel == (size_t)0)
++ return strdup(base_url);
+
+- if( ( parse_uri( base_url, strlen( base_url ), &base ) ==
+- HTTP_SUCCESS )
+- && ( base.type == ( enum uriType ) ABSOLUTE ) ) {
++ size_t len = len_base + len_rel + (size_t)2;
++ char *out = (char *)malloc(len);
++ if (out == NULL)
++ return NULL;
++ memset(out, 0, len);
++ char *out_finger = out;
++
++ /* scheme */
++ rv = snprintf(out_finger, len, "%.*s:", (int)base.scheme.size, base.scheme.buff);
++ if (rv < 0 || rv >= len)
++ goto error;
++ out_finger += rv;
++ len -= rv;
++
++ /* authority */
++ if (rel.hostport.text.size > (size_t)0) {
++ rv = snprintf(out_finger, len, "%s", rel_url);
++ if (rv < 0 || rv >= len)
++ goto error;
++ return out;
++ }
++ if (base.hostport.text.size > (size_t)0) {
++ rv = snprintf(out_finger, len, "//%.*s", (int)base.hostport.text.size, base.hostport.text.buff);
++ if (rv < 0 || rv >= len)
++ goto error;
++ out_finger += rv;
++ len -= rv;
++ }
+
+- if( strlen( rel_url ) == (size_t)0 ) {
+- strncpy( out, base_url, strlen ( base_url ) );
+- } else {
+- char *out_finger = out;
+- assert( base.scheme.size + (size_t)1 /* ':' */ <= strlen ( base_url ) );
+- memcpy( out, base.scheme.buff, base.scheme.size );
+- out_finger += base.scheme.size;
+- ( *out_finger ) = ':';
+- out_finger++;
+-
+- if( rel.hostport.text.size > (size_t)0 ) {
+- snprintf( out_finger, strlen( rel_url ) + (size_t)1,
+- "%s", rel_url );
+- } else {
+- if( base.hostport.text.size > (size_t)0 ) {
+- assert( base.scheme.size + (size_t)1
+- + base.hostport.text.size + (size_t)2 /* "//" */ <= strlen ( base_url ) );
+- memcpy( out_finger, "//", (size_t)2 );
+- out_finger += 2;
+- memcpy( out_finger, base.hostport.text.buff,
+- base.hostport.text.size );
+- out_finger += base.hostport.text.size;
+- }
+-
+- if( rel.path_type == ( enum pathType ) ABS_PATH ) {
+- strncpy( out_finger, rel_url, strlen ( rel_url ) );
+-
+- } else {
+- char temp_path = '/';
+-
+- if( base.pathquery.size == (size_t)0 ) {
+- base.pathquery.size = (size_t)1;
+- base.pathquery.buff = &temp_path;
+- }
+-
+- assert( base.scheme.size + (size_t)1 + base.hostport.text.size + (size_t)2
+- + base.pathquery.size <= strlen ( base_url ) + (size_t)1 /* temp_path */);
+- finger = out_finger;
+- last_slash = finger;
+- i = (size_t)0;
+- while( ( i < base.pathquery.size ) &&
+- ( base.pathquery.buff[i] != '?' ) ) {
+- ( *finger ) = base.pathquery.buff[i];
+- if( base.pathquery.buff[i] == '/' )
+- last_slash = finger + 1;
+- i++;
+- finger++;
+-
+- }
+- strncpy( last_slash, rel_url, strlen ( rel_url ) );
+- if( remove_dots( out_finger,
+- strlen( out_finger ) ) !=
+- UPNP_E_SUCCESS ) {
+- free(out);
+- /* free(rel_url); */
+- return NULL;
+- }
+- }
+-
+- }
+- }
+- } else {
+- free(out);
+- /* free(rel_url); */
+- return NULL;
+- }
+- }
++ /* path */
++ char *path = out_finger;
++ if (rel.path_type == (enum pathType)ABS_PATH) {
++ rv = snprintf(out_finger, len, "%s", rel_url);
++ } else if (base.pathquery.size == (size_t)0) {
++ rv = snprintf(out_finger, len, "/%s", rel_url);
+ } else {
+- free(out);
+- /* free(rel_url); */
+- return NULL;
++ if (rel.pathquery.size == (size_t)0) {
++ rv = snprintf(out_finger, len, "%.*s", (int)base.pathquery.size, base.pathquery.buff);
++ } else {
++ if (len < base.pathquery.size)
++ goto error;
++ size_t i = (size_t)0, prefix = (size_t)1;
++ while (i < base.pathquery.size) {
++ out_finger[i] = base.pathquery.buff[i];
++ switch (base.pathquery.buff[i++]) {
++ case '/':
++ prefix = i;
++ /* fall-through */
++ default:
++ continue;
++ case '?': /* query */
++ if (rel.pathquery.buff[0] == '?')
++ prefix = --i;
++ }
++ break;
++ }
++ out_finger += prefix;
++ len -= prefix;
++ rv = snprintf(out_finger, len, "%.*s", (int)rel.pathquery.size, rel.pathquery.buff);
++ }
++ if (rv < 0 || rv >= len)
++ goto error;
++ out_finger += rv;
++ len -= rv;
++
++ /* fragment */
++ if (rel.fragment.size > (size_t)0)
++ rv = snprintf(out_finger, len, "#%.*s", (int)rel.fragment.size, rel.fragment.buff);
++ else if (base.fragment.size > (size_t)0)
++ rv = snprintf(out_finger, len, "#%.*s", (int)base.fragment.size, base.fragment.buff);
++ else
++ rv = 0;
+ }
++ if (rv < 0 || rv >= len)
++ goto error;
++ out_finger += rv;
++ len -= rv;
++
++ if (remove_dots(path, out_finger - path) != UPNP_E_SUCCESS)
++ goto error;
+
+- /* free(rel_url); */
+ return out;
++
++error:
++ free(out);
++ return NULL;
+ }
+
+
+--
+2.0.0.rc0
+
</ins></span></pre></div>
<a id="trunkdportsdevellibupnpfilespatchFix_broken_strncatdiff"></a>
<div class="addfile"><h4>Added: trunk/dports/devel/libupnp/files/patch-Fix_broken_strncat.diff (0 => 126547)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/dports/devel/libupnp/files/patch-Fix_broken_strncat.diff (rev 0)
+++ trunk/dports/devel/libupnp/files/patch-Fix_broken_strncat.diff 2014-10-12 01:01:19 UTC (rev 126547)
</span><span class="lines">@@ -0,0 +1,29 @@
</span><ins>+Fix broken strncat(..., strlen())
+commit 0edaf3361db01425cae0daee7dc3f6039f381a17 replaced several
+malloc()+strcat() sequences with strncat() using strlen() on the
+*source* string.
+This is still vulnerable to overwrite the *target* buffer.
+While reviewing this commit change the code to directly use snprintf()
+for concatenating strings and check the length of the target buffer.
+Signed-off-by: Marcelo Roberto Jimenez <mroberto@users.sourceforge.net>
+(cherry picked from commit 848d66e69daf30d3b64db1450618cd819c370ad4)
+
+--- upnp/src/genlib/net/http/httpreadwrite.c
++++ upnp/src/genlib/net/http/httpreadwrite.c
+@@ -541,13 +541,12 @@
+ memset(Chunk_Header, 0,
+ sizeof(Chunk_Header));
+ rc = snprintf(Chunk_Header,
+- sizeof(Chunk_Header) - strlen ("\r\n"),
+- "%" PRIzx, num_read);
+- if (rc < 0 || (unsigned int) rc >= sizeof(Chunk_Header) - strlen ("\r\n")) {
++ sizeof(Chunk_Header),
++ "%" PRIzx "\r\n", num_read);
++ if (rc < 0 || (unsigned int) rc >= sizeof(Chunk_Header)) {
+ RetVal = UPNP_E_INTERNAL_ERROR;
+ goto Cleanup_File;
+ }
+- strncat(Chunk_Header, "\r\n", strlen ("\r\n"));
+ /* Copy the chunk size header */
+ memcpy(file_buf - strlen(Chunk_Header),
+ Chunk_Header,
</ins></span></pre></div>
<a id="trunkdportsdevellibupnpfilespatchdirectly_use_strdupdiff"></a>
<div class="addfile"><h4>Added: trunk/dports/devel/libupnp/files/patch-directly_use_strdup.diff (0 => 126547)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/dports/devel/libupnp/files/patch-directly_use_strdup.diff (rev 0)
+++ trunk/dports/devel/libupnp/files/patch-directly_use_strdup.diff 2014-10-12 01:01:19 UTC (rev 126547)
</span><span class="lines">@@ -0,0 +1,120 @@
</span><ins>+Directly use strdup()
+commit 0edaf3361db01425cae0daee7dc3f6039f381a17 replaced several
+malloc()+strcpy() sequences with memset()+strncpy() using strlen().
+This doesn't improve security and introduced a bug URI handling.
+While reviewing this commit change the code to directly use strdup()
+instead of re-implementing it multiple times, as shortens the code and
+thus improves readability.
+Signed-off-by: Marcelo Roberto Jimenez <mroberto@users.sourceforge.net>
+(cherry picked from commit 04fb68432330c3a622161dda98dbe1b30eaa0927)
+
+--- upnp/src/gena/gena_device.c
++++ upnp/src/gena/gena_device.c
+@@ -480,24 +480,19 @@
+ }
+ *reference_count = 0;
+
+- UDN_copy = (char *)malloc(strlen(UDN) + 1);
++ UDN_copy = strdup(UDN);
+ if (UDN_copy == NULL) {
+ line = __LINE__;
+ ret = UPNP_E_OUTOF_MEMORY;
+ goto ExitFunction;
+ }
+
+- servId_copy = (char *)malloc(strlen(servId) + 1);
++ servId_copy = strdup(servId);
+ if (servId_copy == NULL) {
+ line = __LINE__;
+ ret = UPNP_E_OUTOF_MEMORY;
+ goto ExitFunction;
+ }
+-
+- memset(UDN_copy, 0, strlen(UDN) + 1);
+- strncpy(UDN_copy, UDN, strlen(UDN));
+- memset(servId_copy, 0, strlen(servId) + 1);
+- strncpy(servId_copy, servId, strlen(servId));
+
+ HandleLock();
+
+@@ -639,24 +634,19 @@
+ }
+ *reference_count = 0;
+
+- UDN_copy = (char *)malloc(strlen(UDN) + 1);
++ UDN_copy = strdup(UDN);
+ if (UDN_copy == NULL) {
+ line = __LINE__;
+ ret = UPNP_E_OUTOF_MEMORY;
+ goto ExitFunction;
+ }
+
+- servId_copy = (char *)malloc(strlen(servId) + 1);
++ servId_copy = strdup(servId);
+ if( servId_copy == NULL ) {
+ line = __LINE__;
+ ret = UPNP_E_OUTOF_MEMORY;
+ goto ExitFunction;
+ }
+-
+- memset(UDN_copy, 0, strlen(UDN) + 1);
+- strncpy(UDN_copy, UDN, strlen(UDN));
+- memset(servId_copy, 0, strlen(servId) + 1);
+- strncpy(servId_copy, servId, strlen(servId));
+
+ HandleLock();
+
+@@ -798,24 +788,19 @@
+ }
+ *reference_count = 0;
+
+- UDN_copy = (char *)malloc(strlen(UDN) + 1);
++ UDN_copy = strdup(UDN);
+ if (UDN_copy == NULL) {
+ line = __LINE__;
+ ret = UPNP_E_OUTOF_MEMORY;
+ goto ExitFunction;
+ }
+
+- servId_copy = (char *)malloc(strlen(servId) + 1);
++ servId_copy = strdup(servId);
+ if( servId_copy == NULL ) {
+ line = __LINE__;
+ ret = UPNP_E_OUTOF_MEMORY;
+ goto ExitFunction;
+ }
+-
+- memset(UDN_copy, 0, strlen(UDN) + 1);
+- strncpy(UDN_copy, UDN, strlen(UDN));
+- memset(servId_copy, 0, strlen(servId) + 1);
+- strncpy(servId_copy, servId, strlen(servId));
+
+ propertySet = ixmlPrintNode((IXML_Node *)PropSet);
+ if (propertySet == NULL) {
+@@ -944,24 +929,19 @@
+ }
+ *reference_count = 0;
+
+- UDN_copy = (char *)malloc(strlen(UDN) + 1);
++ UDN_copy = strdup(UDN);
+ if (UDN_copy == NULL) {
+ line = __LINE__;
+ ret = UPNP_E_OUTOF_MEMORY;
+ goto ExitFunction;
+ }
+
+- servId_copy = (char *)malloc(strlen(servId) + 1);
++ servId_copy = strdup(servId);
+ if( servId_copy == NULL ) {
+ line = __LINE__;
+ ret = UPNP_E_OUTOF_MEMORY;
+ goto ExitFunction;
+ }
+-
+- memset(UDN_copy, 0, strlen(UDN) + 1);
+- strncpy(UDN_copy, UDN, strlen(UDN));
+- memset(servId_copy, 0, strlen(servId) + 1);
+- strncpy(servId_copy, servId, strlen(servId));
+
+ ret = GeneratePropertySet(VarNames, VarValues, var_count, &propertySet);
+ if (ret != XML_SUCCESS) {
</ins></span></pre>
</div>
</div>
</body>
</html>