| Patrick Williams | ac13d5f | 2023-11-24 18:59:46 -0600 | [diff] [blame^] | 1 | From 48d745db7fd554fc33e96ec86d3675ebd530bb8e Mon Sep 17 00:00:00 2001 |
| 2 | From: Michal Sekletar <msekleta@redhat.com> |
| 3 | Date: Mon, 23 Oct 2023 13:38:35 +0200 |
| 4 | Subject: [PATCH] avahi: core: extract host name using avahi_unescape_label() |
| 5 | |
| 6 | Previously we could create invalid escape sequence when we split the |
| 7 | string on dot. For example, from valid host name "foo\\.bar" we have |
| 8 | created invalid name "foo\\" and tried to set that as the host name |
| 9 | which crashed the daemon. |
| 10 | |
| 11 | Fixes #453 |
| 12 | |
| 13 | Upstream-Status: Backport [https://github.com/lathiat/avahi/commit/894f085f402e023a98cbb6f5a3d117bd88d93b09] |
| 14 | CVE: CVE-2023-38471 |
| 15 | |
| 16 | Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com> |
| 17 | --- |
| 18 | avahi-core/server.c | 27 +++++++++++++++++++++------ |
| 19 | 1 file changed, 21 insertions(+), 6 deletions(-) |
| 20 | |
| 21 | diff --git a/avahi-core/server.c b/avahi-core/server.c |
| 22 | index e507750..40f1d68 100644 |
| 23 | --- a/avahi-core/server.c |
| 24 | +++ b/avahi-core/server.c |
| 25 | @@ -1295,7 +1295,11 @@ static void update_fqdn(AvahiServer *s) { |
| 26 | } |
| 27 | |
| 28 | int avahi_server_set_host_name(AvahiServer *s, const char *host_name) { |
| 29 | - char *hn = NULL; |
| 30 | + char label_escaped[AVAHI_LABEL_MAX*4+1]; |
| 31 | + char label[AVAHI_LABEL_MAX]; |
| 32 | + char *hn = NULL, *h; |
| 33 | + size_t len; |
| 34 | + |
| 35 | assert(s); |
| 36 | |
| 37 | AVAHI_CHECK_VALIDITY(s, !host_name || avahi_is_valid_host_name(host_name), AVAHI_ERR_INVALID_HOST_NAME); |
| 38 | @@ -1305,17 +1309,28 @@ int avahi_server_set_host_name(AvahiServer *s, const char *host_name) { |
| 39 | else |
| 40 | hn = avahi_normalize_name_strdup(host_name); |
| 41 | |
| 42 | - hn[strcspn(hn, ".")] = 0; |
| 43 | + h = hn; |
| 44 | + if (!avahi_unescape_label((const char **)&hn, label, sizeof(label))) { |
| 45 | + avahi_free(h); |
| 46 | + return AVAHI_ERR_INVALID_HOST_NAME; |
| 47 | + } |
| 48 | + |
| 49 | + avahi_free(h); |
| 50 | + |
| 51 | + h = label_escaped; |
| 52 | + len = sizeof(label_escaped); |
| 53 | + if (!avahi_escape_label(label, strlen(label), &h, &len)) |
| 54 | + return AVAHI_ERR_INVALID_HOST_NAME; |
| 55 | |
| 56 | - if (avahi_domain_equal(s->host_name, hn) && s->state != AVAHI_SERVER_COLLISION) { |
| 57 | - avahi_free(hn); |
| 58 | + if (avahi_domain_equal(s->host_name, label_escaped) && s->state != AVAHI_SERVER_COLLISION) |
| 59 | return avahi_server_set_errno(s, AVAHI_ERR_NO_CHANGE); |
| 60 | - } |
| 61 | |
| 62 | withdraw_host_rrs(s); |
| 63 | |
| 64 | avahi_free(s->host_name); |
| 65 | - s->host_name = hn; |
| 66 | + s->host_name = avahi_strdup(label_escaped); |
| 67 | + if (!s->host_name) |
| 68 | + return AVAHI_ERR_NO_MEMORY; |
| 69 | |
| 70 | update_fqdn(s); |
| 71 | |
| 72 | -- |
| 73 | 2.40.0 |