meta-multimedia/recipes-connectivity/libupnp/files/CVE-2020-13848.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75

From c805c1de1141cb22f74c0d94dd5664bda37398e0 Mon Sep 17 00:00:00 2001
From: Marcelo Roberto Jimenez <marcelo.jimenez@gmail.com>
Date: Thu, 4 Jun 2020 12:03:03 -0300
Subject: [PATCH] Fixes #177: NULL pointer dereference in
 FindServiceControlURLPath

Also fixes its dual bug in FindServiceEventURLPath.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2020-13848
         
Upstream-Status: Accepted [https://github.com/pupnp/pupnp/commit/c805c1de1141cb22f74c0d94dd5664bda37398e0]
CVE: CVE-2020-13848
Signed-off-by: Andrej Kozemcak <andrej.kozemcak@siemens.com>

---
 ChangeLog                                     |  6 ++++++
 upnp/src/genlib/service_table/service_table.c | 16 ++++++++++------
 2 files changed, 16 insertions(+), 6 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 4a956fc..265d268 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,6 +2,12 @@
 Version 1.8.4
 *******************************************************************************

+2020-06-04 Patrik Lantz pjlantz(at)github
+
+	Fixes #177
+
+	NULL pointer dereference in FindServiceControlURLPath
+
 2017-11-17 Marcelo Jimenez <mroberto(at)users.sourceforge.net>

	GitHub #57 - 1.8.3 broke ABI without changing SONAME
diff --git a/upnp/src/genlib/service_table/service_table.c b/upnp/src/genlib/service_table/service_table.c
index 98c2c0f..f3ee4e5 100644
--- a/upnp/src/genlib/service_table/service_table.c
+++ b/upnp/src/genlib/service_table/service_table.c
@@ -300,12 +300,11 @@ FindServiceEventURLPath( service_table * table,
     uri_type parsed_url;
     uri_type parsed_url_in;

-    if( ( table )
-        &&
-        ( parse_uri( eventURLPath,
-                     strlen( eventURLPath ),
-                     &parsed_url_in ) == HTTP_SUCCESS ) ) {
-
+    if (!table || !eventURLPath) {
+      return NULL;
+    }
+    if (parse_uri(eventURLPath, strlen(eventURLPath), &parsed_url_in) ==
+        HTTP_SUCCESS) {
         finger = table->serviceList;
         while( finger ) {
             if( finger->eventURL )
@@ -352,11 +351,11 @@ FindServiceControlURLPath( service_table * table,
     uri_type parsed_url;
     uri_type parsed_url_in;

-    if( ( table )
-        &&
-        ( parse_uri
-          ( controlURLPath, strlen( controlURLPath ),
-            &parsed_url_in ) == HTTP_SUCCESS ) ) {
+    if (!table || !controlURLPath) {
+      return NULL;
+    }
+    if (parse_uri(controlURLPath, strlen(controlURLPath), &parsed_url_in) ==
+        HTTP_SUCCESS) {
         finger = table->serviceList;
         while( finger ) {
             if( finger->controlURL )