Skip to content

GUPNP 1.0.5 null-pointer dereference due to uninitialized GSSDPClient field

Dear GSSDP developers,

We believe we have found an issue in the fixes introduced to mitigate CVE-2020-12695 (CallStranger).

When creating an GSSDPClient using both an interface and host ip values, the init_network_info function in gssdp_client.c fails to set the GInetAddressMask field of the device. When this happens, a subsequent call to gssdp_client_get_address_mask will return NULL even though it shouldn't: https://gitlab.gnome.org/GNOME/gssdp/-/blob/gssdp_1.0/libgssdp/gssdp-client.c#L2041-2054

In GUPNP, the fix for CallStranger calls the function gupnp_context_ip_is_ours to verify the client network matches the callback, but if the Mask is uninitialized, the value returned will cause a crash in: https://gitlab.gnome.org/GNOME/gupnp/-/blob/gupnp-1.0/libgupnp/gupnp-context.c#L1578-1589

Fixing this issue would entail making init_network_info initialize the address mask in the case of an interface and ip given.

Thank you.