# D-Link DIR-825 miniupnpd Stack Overflow via AddPortMapping
miniupnpd AddPortMapping Update Path of D-Link DIR-825miniupnpd WANIPConnection SOAP service, control URL /ctl/IPConn---
## 1. Vulnerability Overview
A stack-based buffer overflow exists in the miniupnpd implementation used by D-Link DIR-825. The issue is reachable through the LAN-side UPnP SOAP interface during AddPortMapping processing.
An attacker on the local network can send a crafted AddPortMapping request with an oversized NewPortMappingDescription value. When the request updates an existing port mapping, the description is written to a fixed-size stack buffer via sprintf() without length validation, leading to memory corruption.
---
## 2. Detailed Description
The UPnP HTTP handler accepts variable-length SOAP bodies and stores them in a dynamically grown request buffer:
h->req_buf = (char *)realloc(h->req_buf, n + h->req_buflen + 1);
memcpy(h->req_buf + h->req_buflen, buf, n);
...
h->req_buf = (char *)realloc(h->req_buf, n + h->req_buflen);
memcpy(h->req_buf + h->req_buflen, buf, n);
The AddPortMapping() SOAP handler then extracts attacker-controlled fields from this request body, including NewPortMappingDescription:
desc = GetValueFromNameValueList(&data, "NewPortMappingDescription");
...
r = upnp_redirect(eport, int_ip, iport, protocol, desc, ext_ip, atoi(Enabled), atol(leaseduration));
If the port mapping already exists and matches the same internal host and port tuple, the code enters the update path:
if(r == 0 && strcmp(iaddr,iaddr_old)==0 && iport==iport_old)
{
...
lease_file_update(eport, iaddr, iport, proto, desc, eaddr, Enabled, LeaseDuration);
...
}
Inside lease_file_update(), a fixed-size stack buffer is used:
char buf[512];