[people/pmueller/ipfire-2.x.git] / src / patches / minidlna-1.3.0-fix-DNS-rebinding-issue-CVE-2022-26505.patch

--- minidlna-1.3.0/upnphttp.c.orig	2020-11-24 19:53:50.000000000 +0100
+++ minidlna-1.3.0/upnphttp.c	2022-04-30 12:59:23.432073807 +0200
@@ -273,6 +273,11 @@
 				p = colon + 1;
 				while(isspace(*p))
 					p++;
+				    n = 0;
+				    while(p[n] >= ' ')
+					    n++;
+				    h->req_Host = p;
+				    h->req_HostLen = n;					
 				for(n = 0; n < n_lan_addr; n++)
 				{
 					for(i = 0; lan_addr[n].str[i]; i++)
@@ -909,6 +914,18 @@
 	}
 
 	DPRINTF(E_DEBUG, L_HTTP, "HTTP REQUEST: %.*s\n", h->req_buflen, h->req_buf);
+	if(h->req_Host && h->req_HostLen > 0) {
+		const char *ptr = h->req_Host;
+		DPRINTF(E_MAXDEBUG, L_HTTP, "Host: %.*s\n", h->req_HostLen, h->req_Host);
+		for(i = 0; i < h->req_HostLen; i++) {
+			if(*ptr != ':' && *ptr != '.' && (*ptr > '9' || *ptr < '0')) {
+				DPRINTF(E_ERROR, L_HTTP, "DNS rebinding attack suspected (Host: %.*s)", h->req_HostLen, h->req_Host);
+				Send404(h);/* 403 */
+				return;
+			}
+			ptr++;
+		}
+	}	
 	if(strcmp("POST", HttpCommand) == 0)
 	{
 		h->req_command = EPost;
--- minidlna-1.3.0/upnphttp.h.orig	2020-11-24 19:53:50.000000000 +0100
+++ minidlna-1.3.0/upnphttp.h	2022-04-30 13:00:22.619152312 +0200
@@ -89,6 +89,8 @@
 	struct client_cache_s * req_client;
 	const char * req_soapAction;
 	int req_soapActionLen;
+	const char * req_Host;        /* Host: header */
+	int req_HostLen;
 	const char * req_Callback;	/* For SUBSCRIBE */
 	int req_CallbackLen;
 	const char * req_NT;
Commit	Line	Data
e1e94ae7 AB	1	--- minidlna-1.3.0/upnphttp.c.orig 2020-11-24 19:53:50.000000000 +0100
	2	+++ minidlna-1.3.0/upnphttp.c 2022-04-30 12:59:23.432073807 +0200
	3	@@ -273,6 +273,11 @@
	4	p = colon + 1;
	5	while(isspace(*p))
	6	p++;
	7	+ n = 0;
	8	+ while(p[n] >= ' ')
	9	+ n++;
	10	+ h->req_Host = p;
	11	+ h->req_HostLen = n;
	12	for(n = 0; n < n_lan_addr; n++)
	13	{
	14	for(i = 0; lan_addr[n].str[i]; i++)
	15	@@ -909,6 +914,18 @@
	16	}
	17
	18	DPRINTF(E_DEBUG, L_HTTP, "HTTP REQUEST: %.*s\n", h->req_buflen, h->req_buf);
	19	+ if(h->req_Host && h->req_HostLen > 0) {
	20	+ const char *ptr = h->req_Host;
	21	+ DPRINTF(E_MAXDEBUG, L_HTTP, "Host: %.*s\n", h->req_HostLen, h->req_Host);
	22	+ for(i = 0; i < h->req_HostLen; i++) {
	23	+ if(ptr != ':' && ptr != '.' && (ptr > '9' \|\| ptr < '0')) {
	24	+ DPRINTF(E_ERROR, L_HTTP, "DNS rebinding attack suspected (Host: %.*s)", h->req_HostLen, h->req_Host);
	25	+ Send404(h);/* 403 */
	26	+ return;
	27	+ }
	28	+ ptr++;
	29	+ }
	30	+ }
	31	if(strcmp("POST", HttpCommand) == 0)
	32	{
	33	h->req_command = EPost;
	34	--- minidlna-1.3.0/upnphttp.h.orig 2020-11-24 19:53:50.000000000 +0100
	35	+++ minidlna-1.3.0/upnphttp.h 2022-04-30 13:00:22.619152312 +0200
	36	@@ -89,6 +89,8 @@
	37	struct client_cache_s * req_client;
	38	const char * req_soapAction;
	39	int req_soapActionLen;
	40	+ const char * req_Host; /* Host: header */
	41	+ int req_HostLen;
	42	const char * req_Callback; /* For SUBSCRIBE */
	43	int req_CallbackLen;
	44	const char * req_NT;