From a337a1ba7d15853fb56deef1f464529af6e3a1cf Mon Sep 17 00:00:00 2001 From: Evgeny Vereshchagin Date: Mon, 23 Oct 2023 20:29:31 +0000 Subject: [PATCH] core: reject overly long TXT resource records Closes https://github.com/lathiat/avahi/issues/455 CVE-2023-38469 --- avahi-core/rr.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/avahi-core/rr.c b/avahi-core/rr.c index 2bb8924..9c04ebb 100644 --- a/avahi-core/rr.c +++ b/avahi-core/rr.c @@ -32,6 +32,7 @@ #include #include +#include "dns.h" #include "rr.h" #include "log.h" #include "util.h" @@ -689,11 +690,17 @@ int avahi_record_is_valid(AvahiRecord *r) { case AVAHI_DNS_TYPE_TXT: { AvahiStringList *strlst; + size_t used = 0; - for (strlst = r->data.txt.string_list; strlst; strlst = strlst->next) + for (strlst = r->data.txt.string_list; strlst; strlst = strlst->next) { if (strlst->size > 255 || strlst->size <= 0) return 0; + used += 1+strlst->size; + if (used > AVAHI_DNS_RDATA_MAX) + return 0; + } + return 1; } } -- 2.44.0