Patrick Williams | ac13d5f | 2023-11-24 18:59:46 -0600 | [diff] [blame^] | 1 | From 88cbbc48d5efff9726694557ca6c3f698f3affe4 Mon Sep 17 00:00:00 2001 |
| 2 | From: Michal Sekletar <msekleta@redhat.com> |
| 3 | Date: Wed, 11 Oct 2023 17:45:44 +0200 |
| 4 | Subject: [PATCH] avahi: common: derive alternative host name from its |
| 5 | unescaped version |
| 6 | |
| 7 | Normalization of input makes sure we don't have to deal with special |
| 8 | cases like unescaped dot at the end of label. |
| 9 | |
| 10 | Fixes #451 #487 |
| 11 | |
| 12 | Upstream-Status: Backport [https://github.com/lathiat/avahi/commit/b448c9f771bada14ae8de175695a9729f8646797] |
| 13 | CVE: CVE-2023-38473 |
| 14 | |
| 15 | Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com> |
| 16 | --- |
| 17 | avahi-common/alternative-test.c | 3 +++ |
| 18 | avahi-common/alternative.c | 27 +++++++++++++++++++-------- |
| 19 | 2 files changed, 22 insertions(+), 8 deletions(-) |
| 20 | |
| 21 | diff --git a/avahi-common/alternative-test.c b/avahi-common/alternative-test.c |
| 22 | index 9255435..681fc15 100644 |
| 23 | --- a/avahi-common/alternative-test.c |
| 24 | +++ b/avahi-common/alternative-test.c |
| 25 | @@ -31,6 +31,9 @@ int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) { |
| 26 | const char* const test_strings[] = { |
| 27 | "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", |
| 28 | "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXüüüüüüü", |
| 29 | + ").", |
| 30 | + "\\.", |
| 31 | + "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\\\", |
| 32 | "gurke", |
| 33 | "-", |
| 34 | " #", |
| 35 | diff --git a/avahi-common/alternative.c b/avahi-common/alternative.c |
| 36 | index b3d39f0..a094e6d 100644 |
| 37 | --- a/avahi-common/alternative.c |
| 38 | +++ b/avahi-common/alternative.c |
| 39 | @@ -49,15 +49,20 @@ static void drop_incomplete_utf8(char *c) { |
| 40 | } |
| 41 | |
| 42 | char *avahi_alternative_host_name(const char *s) { |
| 43 | + char label[AVAHI_LABEL_MAX], alternative[AVAHI_LABEL_MAX*4+1]; |
| 44 | + char *alt, *r, *ret; |
| 45 | const char *e; |
| 46 | - char *r; |
| 47 | + size_t len; |
| 48 | |
| 49 | assert(s); |
| 50 | |
| 51 | if (!avahi_is_valid_host_name(s)) |
| 52 | return NULL; |
| 53 | |
| 54 | - if ((e = strrchr(s, '-'))) { |
| 55 | + if (!avahi_unescape_label(&s, label, sizeof(label))) |
| 56 | + return NULL; |
| 57 | + |
| 58 | + if ((e = strrchr(label, '-'))) { |
| 59 | const char *p; |
| 60 | |
| 61 | e++; |
| 62 | @@ -74,19 +79,18 @@ char *avahi_alternative_host_name(const char *s) { |
| 63 | |
| 64 | if (e) { |
| 65 | char *c, *m; |
| 66 | - size_t l; |
| 67 | int n; |
| 68 | |
| 69 | n = atoi(e)+1; |
| 70 | if (!(m = avahi_strdup_printf("%i", n))) |
| 71 | return NULL; |
| 72 | |
| 73 | - l = e-s-1; |
| 74 | + len = e-label-1; |
| 75 | |
| 76 | - if (l >= AVAHI_LABEL_MAX-1-strlen(m)-1) |
| 77 | - l = AVAHI_LABEL_MAX-1-strlen(m)-1; |
| 78 | + if (len >= AVAHI_LABEL_MAX-1-strlen(m)-1) |
| 79 | + len = AVAHI_LABEL_MAX-1-strlen(m)-1; |
| 80 | |
| 81 | - if (!(c = avahi_strndup(s, l))) { |
| 82 | + if (!(c = avahi_strndup(label, len))) { |
| 83 | avahi_free(m); |
| 84 | return NULL; |
| 85 | } |
| 86 | @@ -100,7 +104,7 @@ char *avahi_alternative_host_name(const char *s) { |
| 87 | } else { |
| 88 | char *c; |
| 89 | |
| 90 | - if (!(c = avahi_strndup(s, AVAHI_LABEL_MAX-1-2))) |
| 91 | + if (!(c = avahi_strndup(label, AVAHI_LABEL_MAX-1-2))) |
| 92 | return NULL; |
| 93 | |
| 94 | drop_incomplete_utf8(c); |
| 95 | @@ -109,6 +113,13 @@ char *avahi_alternative_host_name(const char *s) { |
| 96 | avahi_free(c); |
| 97 | } |
| 98 | |
| 99 | + alt = alternative; |
| 100 | + len = sizeof(alternative); |
| 101 | + ret = avahi_escape_label(r, strlen(r), &alt, &len); |
| 102 | + |
| 103 | + avahi_free(r); |
| 104 | + r = avahi_strdup(ret); |
| 105 | + |
| 106 | assert(avahi_is_valid_host_name(r)); |
| 107 | |
| 108 | return r; |
| 109 | -- |
| 110 | 2.40.0 |