[gupnp/gupnp-1.0] service: Limit number of call-backs to 6

[Jens Georg <jensgeorg src gnome org>]

commit 7b9e98ad7dba9a079859469eb536db7a28dc9951
Author: Jens Georg <mail jensge org>
Date:   Thu Jun 18 20:38:17 2020 +0200

    service: Limit number of call-backs to 6

 libgupnp/gupnp-service.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)
---
diff --git a/libgupnp/gupnp-service.c b/libgupnp/gupnp-service.c
index e15b300..4235cab 100644
--- a/libgupnp/gupnp-service.c
+++ b/libgupnp/gupnp-service.c
@@ -1216,6 +1216,7 @@ subscribe (GUPnPService *service,
         SubscriptionData *data;
         char *start, *end;
         GUPnPContext *context;
+        int callbacks = 0;
 
         context = gupnp_service_info_get_context
                                             (GUPNP_SERVICE_INFO (service));
@@ -1224,7 +1225,10 @@ subscribe (GUPnPService *service,
 
         /* Parse callback list */
         start = (char *) callback;
-        while ((start = strchr (start, '<'))) {
+
+        // Arbitrarily limit the list of callbacks to 6
+        // Part of CVE-2020-12695 mitigation
+        while (callbacks < 6 && (start = strchr (start, '<'))) {
                 start += 1;
                 if (!start || !*start)
                         break;
@@ -1250,6 +1254,7 @@ subscribe (GUPnPService *service,
                 *end = '>';
 
                 start = end;
+                callbacks++;
         }
 
         if (!data->callbacks) {