Don't unref the mask (!9) · Merge requests · GNOME / gupnp

Emilio Pozuelo Monfort requested to merge epm/gupnp:network-mask-unref into gupnp-1.0 Aug 04, 2020

While preparing updates for gssdp and gupnp to 1.0.5 for Debian to address CVE-2020-12695, I found a regression in gupnp that can be used to crash a server. The fix for CVE-2020-12695 requests the network mask from gssdp to check if a subscription request is in the same network. However gupnp then incorrectly unrefs the network mask, which causes subsequent calls to return an invalid pointer (as the mask has been disposed and possibly destroyed) leading to a segfault.

Running rygel against gupnp 1.0.5 while gupnp-universal-cp is running (or starting that afterwards) is enough to trigger the bug.

Don't unref the mask

Merge request reports