Fix CVE-2021-3468
Resolves: RHEL-9542
This commit is contained in:
Michal Sekletar
parent
5ce6485fac
commit
e0fa763377
@ -0,0 +1,40 @@
|
||||
From 447affe29991ee99c6b9732fc5f2c1048a611d3b Mon Sep 17 00:00:00 2001
|
||||
From: Riccardo Schirone <sirmy15@gmail.com>
|
||||
Date: Fri, 26 Mar 2021 11:50:24 +0100
|
||||
Subject: [PATCH] Avoid infinite-loop in avahi-daemon by handling HUP event in
|
||||
client_work
|
||||
|
||||
If a client fills the input buffer, client_work() disables the
|
||||
AVAHI_WATCH_IN event, thus preventing the function from executing the
|
||||
`read` syscall the next times it is called. However, if the client then
|
||||
terminates the connection, the socket file descriptor receives a HUP
|
||||
event, which is not handled, thus the kernel keeps marking the HUP event
|
||||
as occurring. While iterating over the file descriptors that triggered
|
||||
an event, the client file descriptor will keep having the HUP event and
|
||||
the client_work() function is always called with AVAHI_WATCH_HUP but
|
||||
without nothing being done, thus entering an infinite loop.
|
||||
|
||||
See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984938
|
||||
---
|
||||
avahi-daemon/simple-protocol.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/avahi-daemon/simple-protocol.c b/avahi-daemon/simple-protocol.c
|
||||
index 3e0ebb1..6c0274d 100644
|
||||
--- a/avahi-daemon/simple-protocol.c
|
||||
+++ b/avahi-daemon/simple-protocol.c
|
||||
@@ -424,6 +424,11 @@ static void client_work(AvahiWatch *watch, AVAHI_GCC_UNUSED int fd, AvahiWatchEv
|
||||
}
|
||||
}
|
||||
|
||||
+ if (events & AVAHI_WATCH_HUP) {
|
||||
+ client_free(c);
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
c->server->poll_api->watch_update(
|
||||
watch,
|
||||
(c->outbuf_length > 0 ? AVAHI_WATCH_OUT : 0) |
|
||||
--
|
||||
2.41.0
|
||||
|
||||
@ -26,7 +26,7 @@
|
||||
|
||||
Name: avahi
|
||||
Version: 0.7
|
||||
Release: 26%{?dist}
|
||||
Release: 27%{?dist}
|
||||
Summary: Local network service discovery
|
||||
License: LGPLv2+
|
||||
URL: http://avahi.org
|
||||
@ -95,6 +95,7 @@ Patch0010: 0001-common-derive-alternative-host-name-from-its-unescap.patch
|
||||
Patch0011: 0001-core-extract-host-name-using-avahi_unescape_label.patch
|
||||
Patch0012: 0001-core-return-errors-from-avahi_server_set_host_name-p.patch
|
||||
Patch0013: 0001-core-reject-overly-long-TXT-resource-records.patch
|
||||
Patch0014: 0001-Avoid-infinite-loop-in-avahi-daemon-by-handling-HUP-.patch
|
||||
|
||||
## downstream patches
|
||||
Patch100: avahi-0.6.30-mono-libdir.patch
|
||||
@ -663,6 +664,9 @@ exit 0
|
||||
|
||||
|
||||
%changelog
|
||||
* Thu Nov 09 2023 Michal Sekletar <msekleta@redhat.com> - 0.7-27
|
||||
- Fix CVE-2021-3468 (RHEL-9542)
|
||||
|
||||
* Thu Nov 09 2023 Michal Sekletar <msekleta@redhat.com> - 0.7-26
|
||||
- Fix CVE-2023-38469 (RHEL-5635)
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user