From 4ee5b9d28ad4f237014caff204c95224aa230e78 Mon Sep 17 00:00:00 2001
From: Cameron Gutman <aicommander@gmail.com>
Date: Wed, 7 Nov 2018 17:55:11 -0800
Subject: [PATCH] Fix handling of malformed SSDP responses

---
 miss/tracer.cpp | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/miss/tracer.cpp b/miss/tracer.cpp
index a47ff4d..8174cae 100644
--- a/miss/tracer.cpp
+++ b/miss/tracer.cpp
@@ -94,11 +94,22 @@ struct UPNPDev* getUPnPDevicesByAddress(IN_ADDR address)
         char* protocol = strtok(responseBuffer, " ");
         char* statusCodeStr = strtok(nullptr, " ");
         char* statusMessage = strtok(nullptr, "\r");
-        if (_stricmp(protocol, "HTTP/1.0") && _stricmp(protocol, "HTTP/1.1")) {
+
+        // Check for a valid response header
+        if (protocol == nullptr) {
+            printf("Missing protocol in SSDP header\n");
+            continue;
+        }
+        else if (statusCodeStr == nullptr) {
+            printf("Missing status code in SSDP header\n");
+            continue;
+        }
+        // FIXME: Should we require statusMessage too?
+        else if (_stricmp(protocol, "HTTP/1.0") && _stricmp(protocol, "HTTP/1.1")) {
             printf("Unexpected protocol: %s\n", protocol);
             continue;
         }
-        if (atoi(statusCodeStr) != 200) {
+        else if (atoi(statusCodeStr) != 200) {
             printf("Unexpected status: %s %s\n", statusCodeStr, statusMessage);
             continue;
         }
@@ -109,6 +120,10 @@ struct UPNPDev* getUPnPDevicesByAddress(IN_ADDR address)
         char* st = nullptr;
         while (char* headerName = strtok(nullptr, "\r\n:")) {
             char* headerValue = strtok(nullptr, "\r");
+            if (headerValue == nullptr) {
+                printf("Unexpected end of SSDP header\n");
+                break;
+            }
 
             // Skip leading spaces
             while (*headerValue == ' ') headerValue++;