search

intel / dleyna-server

dleyna-server is a library for implementing services that allow clients to discover, browse and manipulate Digital Media Servers. An implementation of such a service for linux is also included.
https://01.org/dleyna/
GNU Lesser General Public License v2.1
28 stars 28 forks source link

Avoid possible crash when getting server properties. #162

Open rtiemann opened 5 years ago

rtiemann commented 5 years ago

The crash occurs when calling dls_device_get_all_props() for a content directory server that we have not yet subscribed to (that is, prv_cds_subscribed() returns FALSE in prv_get_system_update_id_for_props()). This crash is caused by an invalid GVariantBuilder passed to g_variant_builder_end() in prv_get_sleeping_for_props(), leading to a NULL result pointer being passed to dls_async_task_complete(). A GVariant is attempted to be constructed from this NULL pointer in dls_task_complete().

Here is the call chain that leads to the crash:

dls_device_get_all_props()
prv_get_system_update_id_for_props()
gupnp_service_proxy_begin_action("GetSystemUpdateID") -> prv_system_update_id_for_props_cb()
prv_system_update_id_for_props_cb()
prv_get_sr_token_for_props()
prv_get_sleeping_for_props()
dls_async_task_complete()
cb_data->cb() -> prv_async_task_complete()
prv_async_task_complete()
dls_task_complete()
g_variant_new()

The crash was most likely observed when a device running Plex Media Server was present on the network.

This commit moves the call of g_variant_builder_end() in prv_system_update_id_for_props_cb() (which invalidates the GVariantBuilder used later in prv_get_sleeping_for_props()) to the error handling branch. This leaves the GVariantBuilder alone and allows prv_get_sr_token_for_props() or one of its descendants to call g_variant_builder_end() and complete the task.

phako commented 3 years ago

Applied to my fork at https://github.com/phako/dleyna-server/

phako commented 3 years ago

Included in release v0.7.0 at mentioned fork https://github.com/phako/dleyna-server/