| Andrew Geissler | 0903674 | 2021-06-25 14:25:14 -0500 | [diff] [blame] | 1 | CVE: CVE-2021-3468 |
| 2 | Upstream-Status: Submitted [https://github.com/lathiat/avahi/pull/330] |
| 3 | Signed-off-by: Ross Burton <ross.burton@arm.com> |
| 4 | |
| 5 | From 447affe29991ee99c6b9732fc5f2c1048a611d3b Mon Sep 17 00:00:00 2001 |
| 6 | From: Riccardo Schirone <sirmy15@gmail.com> |
| 7 | Date: Fri, 26 Mar 2021 11:50:24 +0100 |
| 8 | Subject: [PATCH] Avoid infinite-loop in avahi-daemon by handling HUP event in |
| 9 | client_work |
| 10 | |
| 11 | If a client fills the input buffer, client_work() disables the |
| 12 | AVAHI_WATCH_IN event, thus preventing the function from executing the |
| 13 | `read` syscall the next times it is called. However, if the client then |
| 14 | terminates the connection, the socket file descriptor receives a HUP |
| 15 | event, which is not handled, thus the kernel keeps marking the HUP event |
| 16 | as occurring. While iterating over the file descriptors that triggered |
| 17 | an event, the client file descriptor will keep having the HUP event and |
| 18 | the client_work() function is always called with AVAHI_WATCH_HUP but |
| 19 | without nothing being done, thus entering an infinite loop. |
| 20 | |
| 21 | See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984938 |
| 22 | --- |
| 23 | avahi-daemon/simple-protocol.c | 5 +++++ |
| 24 | 1 file changed, 5 insertions(+) |
| 25 | |
| 26 | diff --git a/avahi-daemon/simple-protocol.c b/avahi-daemon/simple-protocol.c |
| 27 | index 3e0ebb11..6c0274d6 100644 |
| 28 | --- a/avahi-daemon/simple-protocol.c |
| 29 | +++ b/avahi-daemon/simple-protocol.c |
| 30 | @@ -424,6 +424,11 @@ static void client_work(AvahiWatch *watch, AVAHI_GCC_UNUSED int fd, AvahiWatchEv |
| 31 | } |
| 32 | } |
| 33 | |
| 34 | + if (events & AVAHI_WATCH_HUP) { |
| 35 | + client_free(c); |
| 36 | + return; |
| 37 | + } |
| 38 | + |
| 39 | c->server->poll_api->watch_update( |
| 40 | watch, |
| 41 | (c->outbuf_length > 0 ? AVAHI_WATCH_OUT : 0) | |