service: Limit number of call-backs to 6

author: Jens Georg <mail@jensge.org> 2020-06-18 20:38:17 +0200
committer: Jens Georg <mail@jensge.org> 2020-06-18 20:38:17 +0200
commit: 31b77b114b80b81f0fa0b004760126864d3bb3f2 (patch)
tree: b32256ff957726305668f4d2d06911b0d1e336e1
parent: a1edc424d9e4981fc805130145df7582888057d1 (diff)
download: gupnp-31b77b114b80b81f0fa0b004760126864d3bb3f2.tar.gz
1 files changed, 6 insertions, 1 deletions
diff --git a/libgupnp/gupnp-service.c b/libgupnp/gupnp-service.c
index cf90a0c..a6e7532 100644
--- a/libgupnp/gupnp-service.c
+++ b/libgupnp/gupnp-service.c
@@ -1223,6 +1223,7 @@ subscribe (GUPnPService *service,
         char *start, *end;
         GUPnPServicePrivate *priv;
         GUPnPContext *context;
+        int callbacks = 0;
 
         priv = gupnp_service_get_instance_private (service);
         context = gupnp_service_info_get_context
@@ -1232,7 +1233,10 @@ subscribe (GUPnPService *service,
 
         /* Parse callback list */
         start = (char *) callback;
-        while ((start = strchr (start, '<'))) {
+
+        // Arbitrarily limit the list of callbacks to 6
+        // Part of CVE-2020-12695 mitigation
+        while (callbacks < 6 && (start = strchr (start, '<'))) {
                 start += 1;
                 if (!start || !*start)
                         break;
@@ -1258,6 +1262,7 @@ subscribe (GUPnPService *service,
                 *end = '>';
 
                 start = end;
+                callbacks++;
         }
 
         if (!data->callbacks) {
author	Jens Georg <mail@jensge.org>	2020-06-18 20:38:17 +0200
committer	Jens Georg <mail@jensge.org>	2020-06-18 20:38:17 +0200
commit	31b77b114b80b81f0fa0b004760126864d3bb3f2 (patch)
tree	b32256ff957726305668f4d2d06911b0d1e336e1
parent	a1edc424d9e4981fc805130145df7582888057d1 (diff)
download	gupnp-31b77b114b80b81f0fa0b004760126864d3bb3f2.tar.gz