1From 88cbbc48d5efff9726694557ca6c3f698f3affe4 Mon Sep 17 00:00:00 2001 2From: Michal Sekletar <msekleta@redhat.com> 3Date: Wed, 11 Oct 2023 17:45:44 +0200 4Subject: [PATCH] avahi: common: derive alternative host name from its 5 unescaped version 6 7Normalization of input makes sure we don't have to deal with special 8cases like unescaped dot at the end of label. 9 10Fixes #451 #487 11 12Upstream-Status: Backport [https://github.com/lathiat/avahi/commit/b448c9f771bada14ae8de175695a9729f8646797] 13CVE: CVE-2023-38473 14 15Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com> 16--- 17 avahi-common/alternative-test.c | 3 +++ 18 avahi-common/alternative.c | 27 +++++++++++++++++++-------- 19 2 files changed, 22 insertions(+), 8 deletions(-) 20 21diff --git a/avahi-common/alternative-test.c b/avahi-common/alternative-test.c 22index 9255435..681fc15 100644 23--- a/avahi-common/alternative-test.c 24+++ b/avahi-common/alternative-test.c 25@@ -31,6 +31,9 @@ int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) { 26 const char* const test_strings[] = { 27 "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", 28 "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXüüüüüüü", 29+ ").", 30+ "\\.", 31+ "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\\\", 32 "gurke", 33 "-", 34 " #", 35diff --git a/avahi-common/alternative.c b/avahi-common/alternative.c 36index b3d39f0..a094e6d 100644 37--- a/avahi-common/alternative.c 38+++ b/avahi-common/alternative.c 39@@ -49,15 +49,20 @@ static void drop_incomplete_utf8(char *c) { 40 } 41 42 char *avahi_alternative_host_name(const char *s) { 43+ char label[AVAHI_LABEL_MAX], alternative[AVAHI_LABEL_MAX*4+1]; 44+ char *alt, *r, *ret; 45 const char *e; 46- char *r; 47+ size_t len; 48 49 assert(s); 50 51 if (!avahi_is_valid_host_name(s)) 52 return NULL; 53 54- if ((e = strrchr(s, '-'))) { 55+ if (!avahi_unescape_label(&s, label, sizeof(label))) 56+ return NULL; 57+ 58+ if ((e = strrchr(label, '-'))) { 59 const char *p; 60 61 e++; 62@@ -74,19 +79,18 @@ char *avahi_alternative_host_name(const char *s) { 63 64 if (e) { 65 char *c, *m; 66- size_t l; 67 int n; 68 69 n = atoi(e)+1; 70 if (!(m = avahi_strdup_printf("%i", n))) 71 return NULL; 72 73- l = e-s-1; 74+ len = e-label-1; 75 76- if (l >= AVAHI_LABEL_MAX-1-strlen(m)-1) 77- l = AVAHI_LABEL_MAX-1-strlen(m)-1; 78+ if (len >= AVAHI_LABEL_MAX-1-strlen(m)-1) 79+ len = AVAHI_LABEL_MAX-1-strlen(m)-1; 80 81- if (!(c = avahi_strndup(s, l))) { 82+ if (!(c = avahi_strndup(label, len))) { 83 avahi_free(m); 84 return NULL; 85 } 86@@ -100,7 +104,7 @@ char *avahi_alternative_host_name(const char *s) { 87 } else { 88 char *c; 89 90- if (!(c = avahi_strndup(s, AVAHI_LABEL_MAX-1-2))) 91+ if (!(c = avahi_strndup(label, AVAHI_LABEL_MAX-1-2))) 92 return NULL; 93 94 drop_incomplete_utf8(c); 95@@ -109,6 +113,13 @@ char *avahi_alternative_host_name(const char *s) { 96 avahi_free(c); 97 } 98 99+ alt = alternative; 100+ len = sizeof(alternative); 101+ ret = avahi_escape_label(r, strlen(r), &alt, &len); 102+ 103+ avahi_free(r); 104+ r = avahi_strdup(ret); 105+ 106 assert(avahi_is_valid_host_name(r)); 107 108 return r; 109-- 1102.40.0 111