Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NULL pointer dereference in FindServiceControlURLPath #177

Closed
pjlantz opened this issue Jun 2, 2020 · 4 comments
Closed

NULL pointer dereference in FindServiceControlURLPath #177

pjlantz opened this issue Jun 2, 2020 · 4 comments

Comments

@pjlantz
Copy link

pjlantz commented Jun 2, 2020

There is a NULL pointer dereference in the function FindServiceControlURLPath in genlib/service_table/service_table.c.

A segmentation fault occurs if the string controlURLPath is NULL. This crash can be triggered by sending a malformed SUBSCRIBE or UNSUBSCRIBE using any of the attached files.

cat <subscribe/unsubscribe>.txt | nc <ip> 49152

With ASan enabled, this will result in the following output using subscribe.txt

>> AddressSanitizer:DEADLYSIGNAL
=================================================================
==1382600==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f9314e77878 bp 0x000000000002 sp 0x7f930eef98d0 T6)
==1382600==The signal is caused by a READ memory access.                                                                                                                      
==1382600==Hint: address points to the zero page.
    #0 0x7f9314e77877 in FindServiceControlURLPath src/genlib/service_table/service_table.c:357
    #1 0x7f9314e85b83 in GetDeviceHandleInfoForPath src/api/upnpapi.c:4246
    #2 0x7f9314e7fda8 in gena_process_subscription_renewal_request src/gena/gena_device.c:1464
    #3 0x7f9314e7641b in dispatch_request src/genlib/miniserver/miniserver.c:157
    #4 0x7f9314e7641b in handle_request src/genlib/miniserver/miniserver.c:230
    #5 0x7f9314e6ffca in WorkerThread src/threadutil/ThreadPool.c:576
    #6 0x7f9314e3efb6 in start_thread /build/glibc-suXNNi/glibc-2.29/nptl/pthread_create.c:486
    #7 0x7f9314d702ce in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xfa2ce)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV src/genlib/service_table/service_table.c:357 in FindServiceControlURLPath
Thread T6 created by T0 here:
    #0 0x7f9314ed09b2 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x399b2)
    #1 0x7f9314e6f97b in CreateWorker src/threadutil/ThreadPool.c:651

==1382600==ABORTING

and using unsubscribe.txt

>> AddressSanitizer:DEADLYSIGNAL
=================================================================
==1382441==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f0c2ac29878 bp 0x000000000002 sp 0x7f0c23cf78e0 T8)
==1382441==The signal is caused by a READ memory access.                                                                                                                      
==1382441==Hint: address points to the zero page.
    #0 0x7f0c2ac29877 in FindServiceControlURLPath src/genlib/service_table/service_table.c:357
    #1 0x7f0c2ac37b83 in GetDeviceHandleInfoForPath src/api/upnpapi.c:4246
    #2 0x7f0c2ac32001 in gena_process_unsubscribe_request src/gena/gena_device.c:1577
    #3 0x7f0c2ac2841b in dispatch_request src/genlib/miniserver/miniserver.c:157
    #4 0x7f0c2ac2841b in handle_request src/genlib/miniserver/miniserver.c:230
    #5 0x7f0c2ac21fca in WorkerThread src/threadutil/ThreadPool.c:576
    #6 0x7f0c2abf0fb6 in start_thread /build/glibc-suXNNi/glibc-2.29/nptl/pthread_create.c:486
    #7 0x7f0c2ab222ce in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xfa2ce)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV src/genlib/service_table/service_table.c:357 in FindServiceControlURLPath
Thread T8 created by T0 here:
    #0 0x7f0c2ac829b2 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x399b2)
    #1 0x7f0c2ac2197b in CreateWorker src/threadutil/ThreadPool.c:651

==1382441==ABORTING

This was tested on the current master branch and on release 1.6.6. Earlier versions may also be affected.

subscribe.txt
unsubscribe.txt

@mrjimenez
Copy link
Collaborator

Hi Patrik,

I have just committed a fix. If possible, please test.

Regards,
Marcelo.

@pjlantz
Copy link
Author

pjlantz commented Jun 4, 2020

This is fixed now.

Thanks,
Patrik

@mrjimenez
Copy link
Collaborator

Nice! Thanks!

Marcelo.

@carnil
Copy link

carnil commented Jun 5, 2020

This issue was assigned CVE-2020-13848

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants