xref: /openbmc/openbmc/poky/meta/recipes-connectivity/avahi/files/CVE-2023-38471-1.patch (revision 169d7bccc02da43f8574d030502cfcf9308f505f) 
1*169d7bccSPatrick WilliamsFrom 48d745db7fd554fc33e96ec86d3675ebd530bb8e Mon Sep 17 00:00:00 2001
2*169d7bccSPatrick WilliamsFrom: Michal Sekletar <msekleta@redhat.com>
3*169d7bccSPatrick WilliamsDate: Mon, 23 Oct 2023 13:38:35 +0200
4*169d7bccSPatrick WilliamsSubject: [PATCH] avahi: core: extract host name using avahi_unescape_label()
5*169d7bccSPatrick Williams
6*169d7bccSPatrick WilliamsPreviously we could create invalid escape sequence when we split the
7*169d7bccSPatrick Williamsstring on dot. For example, from valid host name "foo\\.bar" we have
8*169d7bccSPatrick Williamscreated invalid name "foo\\" and tried to set that as the host name
9*169d7bccSPatrick Williamswhich crashed the daemon.
10*169d7bccSPatrick Williams
11*169d7bccSPatrick WilliamsFixes #453
12*169d7bccSPatrick Williams
13*169d7bccSPatrick WilliamsUpstream-Status: Backport [https://github.com/lathiat/avahi/commit/894f085f402e023a98cbb6f5a3d117bd88d93b09]
14*169d7bccSPatrick WilliamsCVE: CVE-2023-38471
15*169d7bccSPatrick Williams
16*169d7bccSPatrick WilliamsSigned-off-by: Meenali Gupta <meenali.gupta@windriver.com>
17*169d7bccSPatrick Williams---
18*169d7bccSPatrick Williams avahi-core/server.c | 27 +++++++++++++++++++++------
19*169d7bccSPatrick Williams 1 file changed, 21 insertions(+), 6 deletions(-)
20*169d7bccSPatrick Williams
21*169d7bccSPatrick Williamsdiff --git a/avahi-core/server.c b/avahi-core/server.c
22*169d7bccSPatrick Williamsindex e507750..40f1d68 100644
23*169d7bccSPatrick Williams--- a/avahi-core/server.c
24*169d7bccSPatrick Williams+++ b/avahi-core/server.c
25*169d7bccSPatrick Williams@@ -1295,7 +1295,11 @@ static void update_fqdn(AvahiServer *s) {
26*169d7bccSPatrick Williams }
27*169d7bccSPatrick Williams
28*169d7bccSPatrick Williams int avahi_server_set_host_name(AvahiServer *s, const char *host_name) {
29*169d7bccSPatrick Williams-    char *hn = NULL;
30*169d7bccSPatrick Williams+    char label_escaped[AVAHI_LABEL_MAX*4+1];
31*169d7bccSPatrick Williams+    char label[AVAHI_LABEL_MAX];
32*169d7bccSPatrick Williams+    char *hn = NULL, *h;
33*169d7bccSPatrick Williams+    size_t len;
34*169d7bccSPatrick Williams+
35*169d7bccSPatrick Williams     assert(s);
36*169d7bccSPatrick Williams
37*169d7bccSPatrick Williams     AVAHI_CHECK_VALIDITY(s, !host_name || avahi_is_valid_host_name(host_name), AVAHI_ERR_INVALID_HOST_NAME);
38*169d7bccSPatrick Williams@@ -1305,17 +1309,28 @@ int avahi_server_set_host_name(AvahiServer *s, const char *host_name) {
39*169d7bccSPatrick Williams     else
40*169d7bccSPatrick Williams         hn = avahi_normalize_name_strdup(host_name);
41*169d7bccSPatrick Williams
42*169d7bccSPatrick Williams-    hn[strcspn(hn, ".")] = 0;
43*169d7bccSPatrick Williams+    h = hn;
44*169d7bccSPatrick Williams+    if (!avahi_unescape_label((const char **)&hn, label, sizeof(label))) {
45*169d7bccSPatrick Williams+        avahi_free(h);
46*169d7bccSPatrick Williams+        return AVAHI_ERR_INVALID_HOST_NAME;
47*169d7bccSPatrick Williams+    }
48*169d7bccSPatrick Williams+
49*169d7bccSPatrick Williams+    avahi_free(h);
50*169d7bccSPatrick Williams+
51*169d7bccSPatrick Williams+    h = label_escaped;
52*169d7bccSPatrick Williams+    len = sizeof(label_escaped);
53*169d7bccSPatrick Williams+    if (!avahi_escape_label(label, strlen(label), &h, &len))
54*169d7bccSPatrick Williams+        return AVAHI_ERR_INVALID_HOST_NAME;
55*169d7bccSPatrick Williams
56*169d7bccSPatrick Williams-    if (avahi_domain_equal(s->host_name, hn) && s->state != AVAHI_SERVER_COLLISION) {
57*169d7bccSPatrick Williams-        avahi_free(hn);
58*169d7bccSPatrick Williams+    if (avahi_domain_equal(s->host_name, label_escaped) && s->state != AVAHI_SERVER_COLLISION)
59*169d7bccSPatrick Williams         return avahi_server_set_errno(s, AVAHI_ERR_NO_CHANGE);
60*169d7bccSPatrick Williams-    }
61*169d7bccSPatrick Williams
62*169d7bccSPatrick Williams     withdraw_host_rrs(s);
63*169d7bccSPatrick Williams
64*169d7bccSPatrick Williams     avahi_free(s->host_name);
65*169d7bccSPatrick Williams-    s->host_name = hn;
66*169d7bccSPatrick Williams+    s->host_name = avahi_strdup(label_escaped);
67*169d7bccSPatrick Williams+    if (!s->host_name)
68*169d7bccSPatrick Williams+        return AVAHI_ERR_NO_MEMORY;
69*169d7bccSPatrick Williams
70*169d7bccSPatrick Williams     update_fqdn(s);
71*169d7bccSPatrick Williams
72*169d7bccSPatrick Williams--
73*169d7bccSPatrick Williams2.40.0
74