1From 88cbbc48d5efff9726694557ca6c3f698f3affe4 Mon Sep 17 00:00:00 2001
2From: Michal Sekletar <msekleta@redhat.com>
3Date: Wed, 11 Oct 2023 17:45:44 +0200
4Subject: [PATCH] avahi: common: derive alternative host name from its
5 unescaped version
6
7Normalization of input makes sure we don't have to deal with special
8cases like unescaped dot at the end of label.
9
10Fixes #451 #487
11
12Upstream-Status: Backport [https://github.com/lathiat/avahi/commit/b448c9f771bada14ae8de175695a9729f8646797]
13CVE: CVE-2023-38473
14
15Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
16---
17 avahi-common/alternative-test.c |  3 +++
18 avahi-common/alternative.c      | 27 +++++++++++++++++++--------
19 2 files changed, 22 insertions(+), 8 deletions(-)
20
21diff --git a/avahi-common/alternative-test.c b/avahi-common/alternative-test.c
22index 9255435..681fc15 100644
23--- a/avahi-common/alternative-test.c
24+++ b/avahi-common/alternative-test.c
25@@ -31,6 +31,9 @@ int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) {
26     const char* const test_strings[] = {
27         "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
28         "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXüüüüüüü",
29+        ").",
30+        "\\.",
31+        "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\\\",
32         "gurke",
33         "-",
34         " #",
35diff --git a/avahi-common/alternative.c b/avahi-common/alternative.c
36index b3d39f0..a094e6d 100644
37--- a/avahi-common/alternative.c
38+++ b/avahi-common/alternative.c
39@@ -49,15 +49,20 @@ static void drop_incomplete_utf8(char *c) {
40 }
41
42 char *avahi_alternative_host_name(const char *s) {
43+    char label[AVAHI_LABEL_MAX], alternative[AVAHI_LABEL_MAX*4+1];
44+    char *alt, *r, *ret;
45     const char *e;
46-    char *r;
47+    size_t len;
48
49     assert(s);
50
51     if (!avahi_is_valid_host_name(s))
52         return NULL;
53
54-    if ((e = strrchr(s, '-'))) {
55+    if (!avahi_unescape_label(&s, label, sizeof(label)))
56+        return NULL;
57+
58+    if ((e = strrchr(label, '-'))) {
59         const char *p;
60
61         e++;
62@@ -74,19 +79,18 @@ char *avahi_alternative_host_name(const char *s) {
63
64     if (e) {
65         char *c, *m;
66-        size_t l;
67         int n;
68
69         n = atoi(e)+1;
70         if (!(m = avahi_strdup_printf("%i", n)))
71             return NULL;
72
73-        l = e-s-1;
74+        len = e-label-1;
75
76-        if (l >= AVAHI_LABEL_MAX-1-strlen(m)-1)
77-            l = AVAHI_LABEL_MAX-1-strlen(m)-1;
78+        if (len >= AVAHI_LABEL_MAX-1-strlen(m)-1)
79+            len = AVAHI_LABEL_MAX-1-strlen(m)-1;
80
81-        if (!(c = avahi_strndup(s, l))) {
82+        if (!(c = avahi_strndup(label, len))) {
83             avahi_free(m);
84             return NULL;
85         }
86@@ -100,7 +104,7 @@ char *avahi_alternative_host_name(const char *s) {
87     } else {
88         char *c;
89
90-        if (!(c = avahi_strndup(s, AVAHI_LABEL_MAX-1-2)))
91+        if (!(c = avahi_strndup(label, AVAHI_LABEL_MAX-1-2)))
92             return NULL;
93
94         drop_incomplete_utf8(c);
95@@ -109,6 +113,13 @@ char *avahi_alternative_host_name(const char *s) {
96         avahi_free(c);
97     }
98
99+    alt = alternative;
100+    len = sizeof(alternative);
101+    ret = avahi_escape_label(r, strlen(r), &alt, &len);
102+
103+    avahi_free(r);
104+    r = avahi_strdup(ret);
105+
106     assert(avahi_is_valid_host_name(r));
107
108     return r;
109--
1102.40.0
111