[gupnp] service: Limit call-back URIs to 256 characters

From: Jens Georg <jensgeorg src gnome org>
To: commits-list gnome org
Cc:
Subject: [gupnp] service: Limit call-back URIs to 256 characters
Date: Tue, 16 Jun 2020 21:26:16 +0000 (UTC)

commit 66a73e96f5a733a149803a985686a4e4e196f90b
Author: Jens Georg <mail jensge org>
Date:   Tue Jun 16 21:54:11 2020 +0200

    service: Limit call-back URIs to 256 characters
    
    Follow DLNA guideline 7.3.2.24.4, mitigate part of CVE-2020-12695

 libgupnp/gupnp-service.c | 34 ++++++++++++++++++++++++++--------
 1 file changed, 26 insertions(+), 8 deletions(-)
---
diff --git a/libgupnp/gupnp-service.c b/libgupnp/gupnp-service.c
index a9ac37f..47feab9 100644
--- a/libgupnp/gupnp-service.c
+++ b/libgupnp/gupnp-service.c
@@ -1187,6 +1187,20 @@ send_initial_state (SubscriptionData *data)
         g_free (mem);
 }
 
+static GList *
+add_subscription_callback (GUPnPContext *context,
+                           GList *list,
+                           const char *callback)
+{
+    SoupURI *local_uri = NULL;
+
+    local_uri = gupnp_context_rewrite_uri_to_uri (context, callback);
+    if (local_uri != NULL) {
+        return g_list_append (list, local_uri);
+    }
+
+    return list;
+}
 
 /* Subscription request */
 static void
@@ -1195,7 +1209,7 @@ subscribe (GUPnPService *service,
            const char   *callback)
 {
         SubscriptionData *data;
-        char *start, *end, *uri;
+        char *start, *end;
         GUPnPServicePrivate *priv;
         GUPnPContext *context;
 
@@ -1217,14 +1231,18 @@ subscribe (GUPnPService *service,
                         break;
 
                 if (strncmp (start, "http://";, strlen ("http://";)) == 0) {
-                        SoupURI *local_uri;
-
-                        uri = g_strndup (start, end - start);
-                        local_uri = gupnp_context_rewrite_uri_to_uri (context, uri);
-                        g_free (uri);
-                        if (local_uri != NULL) {
-                            data->callbacks = g_list_append (data->callbacks, local_uri);
+                        *end = '\0';
+                        g_debug ("Subscription callback: >%s< >%s<", start, g_strndup (start, end - start));
+                        // DLNA 7.3.2.24.4 - URIs shall not exceed 256 bytes
+                        // Also one part of CVE-2020-12695 mitigation - limit URI length
+                        // UPnP does not impose any restrictions here
+                        if (strlen (start) <= 256) {
+                            add_subscription_callback (context, data->callbacks, start);
+                        } else {
+                            g_warning ("Subscription URI exceeds recommended length of "
+                                       "256 bytes, skipping");
                         }
+                        *end = '>';
                 }
 
                 start = end;

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]