| 1 |
swegener 11/02/27 01:24:33 |
| 2 |
|
| 3 |
Added: avahi-0.6.28-CVE-2011-1002.patch |
| 4 |
Log: |
| 5 |
Revision bump, security bug #355583. |
| 6 |
|
| 7 |
(Portage version: 2.2.0_alpha25/cvs/Linux x86_64) |
| 8 |
|
| 9 |
Revision Changes Path |
| 10 |
1.1 net-dns/avahi/files/avahi-0.6.28-CVE-2011-1002.patch |
| 11 |
|
| 12 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-dns/avahi/files/avahi-0.6.28-CVE-2011-1002.patch?rev=1.1&view=markup |
| 13 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-dns/avahi/files/avahi-0.6.28-CVE-2011-1002.patch?rev=1.1&content-type=text/plain |
| 14 |
|
| 15 |
Index: avahi-0.6.28-CVE-2011-1002.patch |
| 16 |
=================================================================== |
| 17 |
From: Vincent Untz <vuntz@××××××××.org> |
| 18 |
Date: Fri, 18 Feb 2011 22:37:00 +0000 (+0100) |
| 19 |
Subject: socket: Still read corrupt packets from the sockets |
| 20 |
X-Git-Url: http://git.0pointer.de/?p=avahi.git;a=commitdiff_plain;h=46109dfec75534fe270c0ab902576f685d5ab3a6 |
| 21 |
|
| 22 |
socket: Still read corrupt packets from the sockets |
| 23 |
|
| 24 |
Else, we end up with an infinite loop with 100% CPU. |
| 25 |
|
| 26 |
http://www.avahi.org/ticket/325 |
| 27 |
https://bugzilla.redhat.com/show_bug.cgi?id=667187 |
| 28 |
--- |
| 29 |
|
| 30 |
diff --git a/avahi-core/socket.c b/avahi-core/socket.c |
| 31 |
index be62105..e69ec7d 100644 |
| 32 |
--- a/avahi-core/socket.c |
| 33 |
+++ b/avahi-core/socket.c |
| 34 |
@@ -653,10 +653,6 @@ AvahiDnsPacket *avahi_recv_dns_packet_ipv4( |
| 35 |
goto fail; |
| 36 |
} |
| 37 |
|
| 38 |
- /* For corrupt packets FIONREAD returns zero size (See rhbz #607297) */ |
| 39 |
- if (!ms) |
| 40 |
- goto fail; |
| 41 |
- |
| 42 |
p = avahi_dns_packet_new(ms + AVAHI_DNS_PACKET_EXTRA_SIZE); |
| 43 |
|
| 44 |
io.iov_base = AVAHI_DNS_PACKET_DATA(p); |
| 45 |
@@ -683,10 +679,14 @@ AvahiDnsPacket *avahi_recv_dns_packet_ipv4( |
| 46 |
goto fail; |
| 47 |
} |
| 48 |
|
| 49 |
- if (sa.sin_addr.s_addr == INADDR_ANY) { |
| 50 |
+ /* For corrupt packets FIONREAD returns zero size (See rhbz #607297). So |
| 51 |
+ * fail after having read them. */ |
| 52 |
+ if (!ms) |
| 53 |
+ goto fail; |
| 54 |
+ |
| 55 |
+ if (sa.sin_addr.s_addr == INADDR_ANY) |
| 56 |
/* Linux 2.4 behaves very strangely sometimes! */ |
| 57 |
goto fail; |
| 58 |
- } |
| 59 |
|
| 60 |
assert(!(msg.msg_flags & MSG_CTRUNC)); |
| 61 |
assert(!(msg.msg_flags & MSG_TRUNC)); |
| 62 |
@@ -810,10 +810,6 @@ AvahiDnsPacket *avahi_recv_dns_packet_ipv6( |
| 63 |
goto fail; |
| 64 |
} |
| 65 |
|
| 66 |
- /* For corrupt packets FIONREAD returns zero size (See rhbz #607297) */ |
| 67 |
- if (!ms) |
| 68 |
- goto fail; |
| 69 |
- |
| 70 |
p = avahi_dns_packet_new(ms + AVAHI_DNS_PACKET_EXTRA_SIZE); |
| 71 |
|
| 72 |
io.iov_base = AVAHI_DNS_PACKET_DATA(p); |
| 73 |
@@ -841,6 +837,11 @@ AvahiDnsPacket *avahi_recv_dns_packet_ipv6( |
| 74 |
goto fail; |
| 75 |
} |
| 76 |
|
| 77 |
+ /* For corrupt packets FIONREAD returns zero size (See rhbz #607297). So |
| 78 |
+ * fail after having read them. */ |
| 79 |
+ if (!ms) |
| 80 |
+ goto fail; |
| 81 |
+ |
| 82 |
assert(!(msg.msg_flags & MSG_CTRUNC)); |
| 83 |
assert(!(msg.msg_flags & MSG_TRUNC)); |
Archives