libs/avahi/patches/302-CVE-2023-38471.patch

   1 From d486bca7e7912c6a4b547a3c607db0d0d3124bbf Mon Sep 17 00:00:00 2001
   2 From: Michal Sekletar <msekleta@redhat.com>
   3 Date: Mon, 23 Oct 2023 13:38:35 +0200
   4 Subject: [PATCH] core: extract host name using avahi_unescape_label()
   5
   6 Previously we could create invalid escape sequence when we split the
   7 string on dot. For example, from valid host name "foo\\.bar" we have
   8 created invalid name "foo\\" and tried to set that as the host name
   9 which crashed the daemon.
  10
  11 Fixes #453
  12
  13 CVE-2023-38471
  14 ---
  15  avahi-core/server.c | 27 +++++++++++++++++++++------
  16  1 file changed, 21 insertions(+), 6 deletions(-)
  17
  18 --- a/avahi-core/server.c
  19 +++ b/avahi-core/server.c
  20 @@ -1295,7 +1295,11 @@ static void update_fqdn(AvahiServer *s)
  21  }
  22
  23  int avahi_server_set_host_name(AvahiServer *s, const char *host_name) {
  24 -    char *hn = NULL;
  25 +    char label_escaped[AVAHI_LABEL_MAX*4+1];
  26 +    char label[AVAHI_LABEL_MAX];
  27 +    char *hn = NULL, *h;
  28 +    size_t len;
  29 +
  30      assert(s);
  31
  32      AVAHI_CHECK_VALIDITY(s, !host_name || avahi_is_valid_host_name(host_name), AVAHI_ERR_INVALID_HOST_NAME);
  33 @@ -1305,17 +1309,28 @@ int avahi_server_set_host_name(AvahiServ
  34      else
  35          hn = avahi_normalize_name_strdup(host_name);
  36
  37 -    hn[strcspn(hn, ".")] = 0;
  38 +    h = hn;
  39 +    if (!avahi_unescape_label((const char **)&hn, label, sizeof(label))) {
  40 +        avahi_free(h);
  41 +        return AVAHI_ERR_INVALID_HOST_NAME;
  42 +    }
  43 +
  44 +    avahi_free(h);
  45
  46 -    if (avahi_domain_equal(s->host_name, hn) && s->state != AVAHI_SERVER_COLLISION) {
  47 -        avahi_free(hn);
  48 +    h = label_escaped;
  49 +    len = sizeof(label_escaped);
  50 +    if (!avahi_escape_label(label, strlen(label), &h, &len))
  51 +        return AVAHI_ERR_INVALID_HOST_NAME;
  52 +
  53 +    if (avahi_domain_equal(s->host_name, label_escaped) && s->state != AVAHI_SERVER_COLLISION)
  54          return avahi_server_set_errno(s, AVAHI_ERR_NO_CHANGE);
  55 -    }
  56
  57      withdraw_host_rrs(s);
  58
  59      avahi_free(s->host_name);
  60 -    s->host_name = hn;
  61 +    s->host_name = avahi_strdup(label_escaped);
  62 +    if (!s->host_name)
  63 +        return AVAHI_ERR_NO_MEMORY;
  64
  65      update_fqdn(s);
  66