| From 894f085f402e023a98cbb6f5a3d117bd88d93b09 Mon Sep 17 00:00:00 2001 |
| From: Michal Sekletar <msekleta@redhat.com> |
| Date: Mon, 23 Oct 2023 13:38:35 +0200 |
| Subject: [PATCH] core: extract host name using avahi_unescape_label() |
| |
| Previously we could create invalid escape sequence when we split the |
| string on dot. For example, from valid host name "foo\\.bar" we have |
| created invalid name "foo\\" and tried to set that as the host name |
| which crashed the daemon. |
| |
| Fixes #453 |
| |
| CVE-2023-38471 |
| |
| Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38471-1.patch?h=ubuntu/jammy-security |
| Upstream commit https://github.com/lathiat/avahi/commit/894f085f402e023a98cbb6f5a3d117bd88d93b09] |
| CVE: CVE-2023-38471 |
| Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> |
| --- |
| avahi-core/server.c | 27 +++++++++++++++++++++------ |
| 1 file changed, 21 insertions(+), 6 deletions(-) |
| |
| Index: avahi-0.8/avahi-core/server.c |
| =================================================================== |
| --- avahi-0.8.orig/avahi-core/server.c |
| +++ avahi-0.8/avahi-core/server.c |
| @@ -1295,7 +1295,11 @@ static void update_fqdn(AvahiServer *s) |
| } |
| |
| int avahi_server_set_host_name(AvahiServer *s, const char *host_name) { |
| - char *hn = NULL; |
| + char label_escaped[AVAHI_LABEL_MAX*4+1]; |
| + char label[AVAHI_LABEL_MAX]; |
| + char *hn = NULL, *h; |
| + size_t len; |
| + |
| assert(s); |
| |
| AVAHI_CHECK_VALIDITY(s, !host_name || avahi_is_valid_host_name(host_name), AVAHI_ERR_INVALID_HOST_NAME); |
| @@ -1305,17 +1309,28 @@ int avahi_server_set_host_name(AvahiServ |
| else |
| hn = avahi_normalize_name_strdup(host_name); |
| |
| - hn[strcspn(hn, ".")] = 0; |
| + h = hn; |
| + if (!avahi_unescape_label((const char **)&hn, label, sizeof(label))) { |
| + avahi_free(h); |
| + return AVAHI_ERR_INVALID_HOST_NAME; |
| + } |
| + |
| + avahi_free(h); |
| |
| - if (avahi_domain_equal(s->host_name, hn) && s->state != AVAHI_SERVER_COLLISION) { |
| - avahi_free(hn); |
| + h = label_escaped; |
| + len = sizeof(label_escaped); |
| + if (!avahi_escape_label(label, strlen(label), &h, &len)) |
| + return AVAHI_ERR_INVALID_HOST_NAME; |
| + |
| + if (avahi_domain_equal(s->host_name, label_escaped) && s->state != AVAHI_SERVER_COLLISION) |
| return avahi_server_set_errno(s, AVAHI_ERR_NO_CHANGE); |
| - } |
| |
| withdraw_host_rrs(s); |
| |
| avahi_free(s->host_name); |
| - s->host_name = hn; |
| + s->host_name = avahi_strdup(label_escaped); |
| + if (!s->host_name) |
| + return AVAHI_ERR_NO_MEMORY; |
| |
| update_fqdn(s); |
| |