diff options
author | Jens Georg <mail@jensge.org> | 2020-06-18 20:38:17 +0200 |
---|---|---|
committer | Jens Georg <mail@jensge.org> | 2020-06-18 20:38:17 +0200 |
commit | 31b77b114b80b81f0fa0b004760126864d3bb3f2 (patch) | |
tree | b32256ff957726305668f4d2d06911b0d1e336e1 | |
parent | a1edc424d9e4981fc805130145df7582888057d1 (diff) | |
download | gupnp-31b77b114b80b81f0fa0b004760126864d3bb3f2.tar.gz |
service: Limit number of call-backs to 6
-rw-r--r-- | libgupnp/gupnp-service.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/libgupnp/gupnp-service.c b/libgupnp/gupnp-service.c index cf90a0c..a6e7532 100644 --- a/libgupnp/gupnp-service.c +++ b/libgupnp/gupnp-service.c @@ -1223,6 +1223,7 @@ subscribe (GUPnPService *service, char *start, *end; GUPnPServicePrivate *priv; GUPnPContext *context; + int callbacks = 0; priv = gupnp_service_get_instance_private (service); context = gupnp_service_info_get_context @@ -1232,7 +1233,10 @@ subscribe (GUPnPService *service, /* Parse callback list */ start = (char *) callback; - while ((start = strchr (start, '<'))) { + + // Arbitrarily limit the list of callbacks to 6 + // Part of CVE-2020-12695 mitigation + while (callbacks < 6 && (start = strchr (start, '<'))) { start += 1; if (!start || !*start) break; @@ -1258,6 +1262,7 @@ subscribe (GUPnPService *service, *end = '>'; start = end; + callbacks++; } if (!data->callbacks) { |