[minissdpc.c] Index out of bounds for type 'char[3]'

[Coeur]

In current version used by Transmission (which is e37cde8 from July 2017), minissdpc.c is causing undefined behavior on those lines:

miniupnpc/minissdpc.c

Lines 863 to 868 in e37cde8

	tmp->buffer[urlsize] = '\0';
	memcpy(tmp->st, st, stsize);
	tmp->buffer[urlsize+1+stsize] = '\0';
	if(usn != NULL)
	memcpy(tmp->usn, usn, usnsize);
	tmp->buffer[urlsize+1+stsize+1+usnsize] = '\0';

minissdpc.c:863 Index 37 out of bounds for type 'char[3]'
minissdpc.c:865 Index 89 out of bounds for type 'char[3]'
minissdpc.c:868 Index 184 out of bounds for type 'char[3]'

I do not know if it's fixed or not in newer versions of miniupnpc: let's adopt a newer version and see from there.

[Neustradamus]

Dear @transmission team,

Any news on it?

Source:

• https://github.com/miniupnp/miniupnp
• https://github.com/miniupnp/miniupnp/tree/master/miniupnpc

[Coeur]

There was an attempt to update it 1.5 years ago, but it got abandoned on Windows build issues (@ckerr):
transmission/transmission#3020
Feel free to try a pull request yourself, @Neustradamus