Avoid infinite-loop in avahi-daemon by handling HUP event in client_work #330
Conversation
If a client fills the input buffer, client_work() disables the AVAHI_WATCH_IN event, thus preventing the function from executing the `read` syscall the next times it is called. However, if the client then terminates the connection, the socket file descriptor receives a HUP event, which is not handled, thus the kernel keeps marking the HUP event as occurring. While iterating over the file descriptors that triggered an event, the client file descriptor will keep having the HUP event and the client_work() function is always called with AVAHI_WATCH_HUP but without nothing being done, thus entering an infinite loop. See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984938
|
By the way, I've requested a CVE through Red Hat for this issue. |
|
CVE-2021-3468 has been assigned for this issue according to https://bugzilla.redhat.com/show_bug.cgi?id=1939614 |
|
@lathiat, could you take a look at this whenever free, please? 😅 |
https://build.opensuse.org/request/show/887505 by user dimstar + dimstar_suse - Add avahi-CVE-2021-3468.patch: avoid infinite loop by handling HUP event in client_work (boo#1184521 CVE-2021-3468). avahi/avahi#330 (forwarded request 887071 from mgorse)
|
Ping on this. |
Source: https://github.com/lathiat/avahi MR: 111703 Type: Security Fix Disposition: Backport from avahi/avahi#330 ChangeID: 6236249cc3c0e170f1ba87d47b0fa7720317f2cc Description: CVE-2021-3468 : Avoid infinite-loop in avahi-daemon by handling HUP event in client_work Signed-off-by: Milan Shah <mshah@mvista.com> Reviewed-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Jeremy Puhlman <jpuhlman@mvista.com>
|
@lathiat could you have a look at this PR? |
@lathiat any chance you could review the pull request so we can have the fixes applied in time for the next Debian release 'bookworm'? |
|
Merged, haven't found anything this might break. Has this change been tested on any distribution already, at least rolling one? It was not tested in Fedora. |
|
It wasn't tested in Debian either, as I wanted to have an ack from upstream first. |
This fixes the infinite loop bug of net-dns/avahi as described here: avahi/avahi#330 Bug: https://bugs.gentoo.org/793953 Signed-off-by: Federico Denkena <federico.denkena@posteo.de>
This fixes the infinite loop bug of net-dns/avahi as described here: avahi/avahi#330 Bug: https://bugs.gentoo.org/793953 Signed-off-by: Federico Denkena <federico.denkena@posteo.de>
If a client fills the input buffer, client_work() disables the
AVAHI_WATCH_IN event, thus preventing the function from executing the
readsyscall the next times it is called. However, if the client thenterminates the connection, the socket file descriptor receives a HUP
event, which is not handled, thus the kernel keeps marking the HUP event
as occurring. While iterating over the file descriptors that triggered
an event, the client file descriptor will keep having the HUP event and
the client_work() function is always called with AVAHI_WATCH_HUP but
without nothing being done, thus entering an infinite loop.
See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984938