From 699c72b98434ca2ff58c5953c94d6380c70ae948 Mon Sep 17 00:00:00 2001
From: Yh793 <boan@live.com>
Date: Fri, 19 Nov 2021 02:03:12 +0800
Subject: [PATCH 1/6] miniupnpd: fix for CVE-2017-1000494 patch from:
 https://salsa.debian.org/miniupnp-team/miniupnpd/-/blob/debian-stretch/debian/patches/CVE-2017-1000494.patch
 upstream:https://github.com/miniupnp/miniupnp/commit/7aeb624b44f86d335841242ff427433190e7168a

---
 trunk/user/miniupnpd/miniupnpd-2.x/minixml.c        | 3 ++-
 trunk/user/miniupnpd/miniupnpd-2.x/upnpreplyparse.c | 4 +---
 2 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/trunk/user/miniupnpd/miniupnpd-2.x/minixml.c b/trunk/user/miniupnpd/miniupnpd-2.x/minixml.c
index 3e201ec2cd4..a2dfe9d4e93 100644
--- a/trunk/user/miniupnpd/miniupnpd-2.x/minixml.c
+++ b/trunk/user/miniupnpd/miniupnpd-2.x/minixml.c
@@ -161,7 +161,8 @@ static void parseelt(struct xmlparser * p)
 						if (p->xml >= p->xmlend)
 							return;
 					}
-					if(memcmp(p->xml, "<![CDATA[", 9) == 0)
+					/* CDATA are at least 9 + 3 characters long : <![CDATA[ ]]> */
+					if((p->xmlend >= (p->xml + (9 + 3))) && (memcmp(p->xml, "<![CDATA[", 9) == 0))
 					{
 						/* CDATA handling */
 						p->xml += 9;
diff --git a/trunk/user/miniupnpd/miniupnpd-2.x/upnpreplyparse.c b/trunk/user/miniupnpd/miniupnpd-2.x/upnpreplyparse.c
index 5de5796a395..a3ebea1bbd0 100644
--- a/trunk/user/miniupnpd/miniupnpd-2.x/upnpreplyparse.c
+++ b/trunk/user/miniupnpd/miniupnpd-2.x/upnpreplyparse.c
@@ -104,9 +104,7 @@ ParseNameValue(const char * buffer, int bufsize,
                struct NameValueParserData * data)
 {
 	struct xmlparser parser;
-	data->l_head = NULL;
-	data->portListing = NULL;
-	data->portListingLength = 0;
+	memset(data, 0, sizeof(struct NameValueParserData));
 	/* init xmlparser object */
 	parser.xmlstart = buffer;
 	parser.xmlsize = bufsize;

From 6f3482b9ce920bc3c4dd44a29738862010657c09 Mon Sep 17 00:00:00 2001
From: Yh793 <boan@live.com>
Date: Fri, 19 Nov 2021 02:21:54 +0800
Subject: [PATCH 2/6] miniupnpd: fix for CVE-2019-12107

upstream: https://github.com/miniupnp/miniupnp/commit/bec6ccec63cadc95655721bc0e1dd49dac759d94
---
 .../user/miniupnpd/miniupnpd-2.x/upnpevents.c | 37 +++++++++++++------
 1 file changed, 26 insertions(+), 11 deletions(-)

diff --git a/trunk/user/miniupnpd/miniupnpd-2.x/upnpevents.c b/trunk/user/miniupnpd/miniupnpd-2.x/upnpevents.c
index 35b93ca0182..d8ea159b742 100644
--- a/trunk/user/miniupnpd/miniupnpd-2.x/upnpevents.c
+++ b/trunk/user/miniupnpd/miniupnpd-2.x/upnpevents.c
@@ -442,19 +442,34 @@ static void upnp_event_prepare(struct upnp_event_notify * obj)
 		l = 0;
 	}
 	obj->buffersize = 1024;
-	obj->buffer = malloc(obj->buffersize);
-	if(!obj->buffer) {
-		syslog(LOG_ERR, "%s: malloc returned NULL", "upnp_event_prepare");
-		if(xml) {
-			free(xml);
+	for (;;) {
+		obj->buffer = malloc(obj->buffersize);
+		if(!obj->buffer) {
+			syslog(LOG_ERR, "%s: malloc returned NULL", "upnp_event_prepare");
+			if(xml) {
+				free(xml);
+			}
+			obj->state = EError;
+			return;
 		}
-		obj->state = EError;
-		return;
+		obj->tosend = snprintf(obj->buffer, obj->buffersize, notifymsg,
+		                       obj->path, obj->addrstr, obj->portstr, l+2,
+		                       obj->sub->uuid, obj->sub->seq,
+		                       l, xml);
+		if (obj->tosend < 0) {
+			syslog(LOG_ERR, "%s: snprintf() failed", "upnp_event_prepare");
+			if(xml) {
+				free(xml);
+			}
+			obj->state = EError;
+			return;
+		} else if (obj->tosend < obj->buffersize) {
+			break; /* the buffer was large enough */
+		}
+		/* Try again with a buffer big enough */
+		free(obj->buffer);
+		obj->buffersize = obj->tosend + 1;	/* reserve space for the final 0 */
 	}
-	obj->tosend = snprintf(obj->buffer, obj->buffersize, notifymsg,
-	                       obj->path, obj->addrstr, obj->portstr, l+2,
-	                       obj->sub->uuid, obj->sub->seq,
-	                       l, xml);
 	if(xml) {
 		free(xml);
 		xml = NULL;

From 70ec09a74e23743c8face8052b790aa3cee7ae59 Mon Sep 17 00:00:00 2001
From: Yh793 <boan@live.com>
Date: Fri, 19 Nov 2021 02:29:02 +0800
Subject: [PATCH 3/6] miniupnpd: fix for CVE-2019-12108

upstream: https://github.com/miniupnp/miniupnp/commit/13585f15c7f7dc28bbbba1661efb280d530d114c
---
 trunk/user/miniupnpd/miniupnpd-2.x/upnpsoap.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/trunk/user/miniupnpd/miniupnpd-2.x/upnpsoap.c b/trunk/user/miniupnpd/miniupnpd-2.x/upnpsoap.c
index 89af30f73ab..f32f7c86022 100644
--- a/trunk/user/miniupnpd/miniupnpd-2.x/upnpsoap.c
+++ b/trunk/user/miniupnpd/miniupnpd-2.x/upnpsoap.c
@@ -1840,6 +1840,13 @@ GetOutboundPinholeTimeout(struct upnphttp * h, const char * action, const char *
 	rem_port = GetValueFromNameValueList(&data, "RemotePort");
 	protocol = GetValueFromNameValueList(&data, "Protocol");
 
+	if (!int_port || !ext_port || !protocol)
+	{
+		ClearNameValueList(&data);
+		SoapError(h, 402, "Invalid Args");
+		return;
+	}
+
 	rport = (unsigned short)atoi(rem_port);
 	iport = (unsigned short)atoi(int_port);
 	/*proto = atoi(protocol);*/

From f80c8ef9cf7374360d65319685b550a3d6b8ecdd Mon Sep 17 00:00:00 2001
From: Yh793 <boan@live.com>
Date: Fri, 19 Nov 2021 13:49:01 +0800
Subject: [PATCH 4/6] miniupnpd: fix for CVE-2019-12109

upstream: https://github.com/miniupnp/miniupnp/commit/86030db849260dd8fb2ed975b9890aef1b62b692
---
 trunk/user/miniupnpd/miniupnpd-2.x/upnpsoap.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/trunk/user/miniupnpd/miniupnpd-2.x/upnpsoap.c b/trunk/user/miniupnpd/miniupnpd-2.x/upnpsoap.c
index f32f7c86022..798e5d1ca77 100644
--- a/trunk/user/miniupnpd/miniupnpd-2.x/upnpsoap.c
+++ b/trunk/user/miniupnpd/miniupnpd-2.x/upnpsoap.c
@@ -1840,7 +1840,7 @@ GetOutboundPinholeTimeout(struct upnphttp * h, const char * action, const char *
 	rem_port = GetValueFromNameValueList(&data, "RemotePort");
 	protocol = GetValueFromNameValueList(&data, "Protocol");
 
-	if (!int_port || !ext_port || !protocol)
+	if (!int_port || !rem_port || !protocol)
 	{
 		ClearNameValueList(&data);
 		SoapError(h, 402, "Invalid Args");

From af6a0c98574e1606f335b628ce6f2e8ffb4c93eb Mon Sep 17 00:00:00 2001
From: Yh793 <boan@live.com>
Date: Fri, 19 Nov 2021 13:49:54 +0800
Subject: [PATCH 5/6] miniupnpd: fix for CVE-2019-12110

upstream: https://github.com/miniupnp/miniupnp/commit/f321c2066b96d18afa5158dfa2d2873a2957ef38
---
 trunk/user/miniupnpd/miniupnpd-2.x/upnpredirect.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/trunk/user/miniupnpd/miniupnpd-2.x/upnpredirect.c b/trunk/user/miniupnpd/miniupnpd-2.x/upnpredirect.c
index 2d18c3c4b25..073a24b0be0 100644
--- a/trunk/user/miniupnpd/miniupnpd-2.x/upnpredirect.c
+++ b/trunk/user/miniupnpd/miniupnpd-2.x/upnpredirect.c
@@ -310,6 +310,10 @@ upnp_redirect(const char * rhost, unsigned short eport,
 		                 "%hu->%s:%hu %s", eport, iaddr, iport, protocol);
 		return -3;
 	}
+
+	if (desc == NULL)
+		desc = "";	/* assume empty description */
+
 	/* IGDv1 (WANIPConnection:1 Service Template Version 1.01 / Nov 12, 2001)
 	 * - 2.2.20.PortMappingDescription :
 	 *  Overwriting Previous / Existing Port Mappings:

From 52b9c757af62b749f3fd91416d24fa31ceee04ce Mon Sep 17 00:00:00 2001
From: Yh793 <boan@live.com>
Date: Fri, 19 Nov 2021 13:50:21 +0800
Subject: [PATCH 6/6] miniupnpd: fix for CVE-2019-12111

upstream: https://github.com/miniupnp/miniupnp/commit/cb8a02af7a5677cf608e86d57ab04241cf34e24f
---
 trunk/user/miniupnpd/miniupnpd-2.x/pcpserver.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/trunk/user/miniupnpd/miniupnpd-2.x/pcpserver.c b/trunk/user/miniupnpd/miniupnpd-2.x/pcpserver.c
index e0cf3e4bfae..1f44bc0cd58 100644
--- a/trunk/user/miniupnpd/miniupnpd-2.x/pcpserver.c
+++ b/trunk/user/miniupnpd/miniupnpd-2.x/pcpserver.c
@@ -178,7 +178,7 @@ static const char * getPCPOpCodeStr(uint8_t opcode)
  * buffers are same */
 static void copyIPv6IfDifferent(void * dest, const void * src)
 {
-	if(dest != src) {
+	if(dest != src && src != NULL) {
 		memcpy(dest, src, sizeof(struct in6_addr));
 	}
 }