BTW: for transmission-gtk and vino this appears to be a heap overflow, not a stack overflow.
The UPNP_GetValidIGD function overwrites a caller-provided pointer to a IGDdatas structure, and it happens to be on the heap.
For these packages, the structure is a static global variable
- maki-plugins
- libeiskaltdcpp2.2
For these it is on the stack:
- 0ad
Doesn't call UPNP_GetValidIGD at all:
- warzone2100
- megaglest
Bitcoin (not an ubuntu package, but the ppa used to rely on this package) is one of the few programs that has the structure on the stack. Apparently Cisco TALOS used that for their probing.
BTW: for transmission-gtk and vino this appears to be a heap overflow, not a stack overflow.
The UPNP_GetValidIGD function overwrites a caller-provided pointer to a IGDdatas structure, and it happens to be on the heap.
- vino: https:/ /git.gnome. org/browse/ vino/tree/ server/ vino-upnp. c#n39 /trac.transmiss ionbt.com/ browser/ trunk/libtransm ission/ upnp.c# Lstatic45
- transmission: https:/
For these packages, the structure is a static global variable
- maki-plugins
- libeiskaltdcpp2.2
For these it is on the stack:
- 0ad
Doesn't call UPNP_GetValidIGD at all:
- warzone2100
- megaglest
Bitcoin (not an ubuntu package, but the ppa used to rely on this package) is one of the few programs that has the structure on the stack. Apparently Cisco TALOS used that for their probing.