From 20011324500a728851e4888c890a756ecf71394b Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 27 Oct 2005 14:30:46 +0000
Subject: Add validity checking to TXT data parsing, this fixes a remotely
 exploitable vulnerability.

git-svn-id: file:///home/lennart/svn/public/avahi/trunk@888 941a03a8-eaeb-0310-b9a0-b1bbd8fe43fe
---
 avahi-compat-howl/compat.c | 12 ++++++++++--
 avahi-compat-howl/text.c   |  9 ++++++++-
 2 files changed, 18 insertions(+), 3 deletions(-)

(limited to 'avahi-compat-howl')

diff --git a/avahi-compat-howl/compat.c b/avahi-compat-howl/compat.c
index 9160fdb..18171f8 100644
--- a/avahi-compat-howl/compat.c
+++ b/avahi-compat-howl/compat.c
@@ -769,6 +769,7 @@ sw_result sw_discovery_publish(
     oid_data *data;
     sw_result result = SW_E_UNKNOWN;
     service_data *sdata;
+    AvahiStringList *txt = NULL;
     
     assert(self);
     assert(name);
@@ -778,10 +779,17 @@ sw_result sw_discovery_publish(
     
     AVAHI_WARN_LINKAGE;
 
-    if ((*oid = oid_alloc(self, OID_ENTRY_GROUP)) == (sw_discovery_oid) -1)
+    if (text_record && text_record_len > 0)
+        if (avahi_string_list_parse(text_record, text_record_len, &txt) < 0)
+            return SW_E_UNKNOWN;
+
+    if ((*oid = oid_alloc(self, OID_ENTRY_GROUP)) == (sw_discovery_oid) -1) {
+        avahi_string_list_free(txt);
         return SW_E_UNKNOWN;
+    }
 
     if (!(sdata = service_data_new(self))) {
+        avahi_string_list_free(txt);
         oid_release(self, *oid);
         return SW_E_MEM;
     }
@@ -798,7 +806,7 @@ sw_result sw_discovery_publish(
     sdata->domain = domain ? avahi_normalize_name_strdup(domain) : NULL;
     sdata->host = host ? avahi_normalize_name_strdup(host) : NULL;
     sdata->port = port;
-    sdata->txt = text_record && text_record_len > 0 ? avahi_string_list_parse(text_record, text_record_len) : NULL;
+    sdata->txt = txt;
 
     /* Some OOM checking would be cool here */
 
diff --git a/avahi-compat-howl/text.c b/avahi-compat-howl/text.c
index fb05acf..3b717be 100644
--- a/avahi-compat-howl/text.c
+++ b/avahi-compat-howl/text.c
@@ -194,6 +194,7 @@ sw_result sw_text_record_iterator_init(
     sw_octets text_record,
     sw_uint32 text_record_len) {
 
+    AvahiStringList *txt;
     assert(self);
 
     AVAHI_WARN_LINKAGE;
@@ -203,7 +204,13 @@ sw_result sw_text_record_iterator_init(
         return SW_E_UNKNOWN;
     }
 
-    (*self)->index = (*self)->strlst = avahi_string_list_reverse(avahi_string_list_parse(text_record, text_record_len));
+    if (avahi_string_list_parse(text_record, text_record_len, &txt) < 0) {
+        avahi_free(*self);
+        *self = NULL;
+        return SW_E_UNKNOWN;
+    }
+
+    (*self)->index = (*self)->strlst = avahi_string_list_reverse(txt);
     
     return SW_OKAY;
 }
-- 
cgit