[gupnp/gupnp-1.0] service: Limit call-back URIs to 256 characters

From: Jens Georg <jensgeorg src gnome org>
To: commits-list gnome org
Cc:
Subject: [gupnp/gupnp-1.0] service: Limit call-back URIs to 256 characters
Date: Sat, 20 Jun 2020 18:14:36 +0000 (UTC)

commit df3bb8e20fb04ebc2bc1afd2465b66cd9421e184
Author: Jens Georg <mail jensge org>
Date:   Tue Jun 16 21:54:11 2020 +0200

    service: Limit call-back URIs to 256 characters
    
    Follow DLNA guideline 7.3.2.24.4, mitigate part of CVE-2020-12695

 libgupnp/gupnp-service.c | 32 +++++++++++++++++++++++++-------
 1 file changed, 25 insertions(+), 7 deletions(-)
---
diff --git a/libgupnp/gupnp-service.c b/libgupnp/gupnp-service.c
index b3afe58..a64b33f 100644
--- a/libgupnp/gupnp-service.c
+++ b/libgupnp/gupnp-service.c
@@ -1181,6 +1181,19 @@ send_initial_state (SubscriptionData *data)
         g_free (mem);
 }
 
+static GList *
+add_subscription_callback (GList *list,
+                           const char *callback)
+{
+    SoupURI *local_uri = NULL;
+
+    local_uri = soup_uri_new (callback);
+    if (local_uri != NULL) {
+        return g_list_append (list, local_uri);
+    }
+
+    return list;
+}
 
 /* Subscription request */
 static void
@@ -1189,7 +1202,7 @@ subscribe (GUPnPService *service,
            const char   *callback)
 {
         SubscriptionData *data;
-        char *start, *end, *uri;
+        char *start, *end;
 
         data = g_slice_new0 (SubscriptionData);
 
@@ -1205,13 +1218,18 @@ subscribe (GUPnPService *service,
                         break;
 
                 if (strncmp (start, "http://";, strlen ("http://";)) == 0) {
-                        SoupURI *local_uri;
-                        uri = g_strndup (start, end - start);
-                        local_uri = soup_uri_new (uri);
-                        g_free (uri);
-                        if (local_uri != NULL) {
-                            data->callbacks = g_list_append (data->callbacks, local_uri);
+                        *end = '\0';
+                        g_debug ("Subscription callback: >%s< >%s<", start, g_strndup (start, end - start));
+                        // DLNA 7.3.2.24.4 - URIs shall not exceed 256 bytes
+                        // Also one part of CVE-2020-12695 mitigation - limit URI length
+                        // UPnP does not impose any restrictions here
+                        if (strlen (start) <= 256) {
+                            add_subscription_callback (data->callbacks, start);
+                        } else {
+                            g_warning ("Subscription URI exceeds recommended length of "
+                                       "256 bytes, skipping");
                         }
+                        *end = '>';
                 }
 
                 start = end;

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]