xorl %eax, %eax

CVE-2011-1002: Avahi Daemon Remote Denial of Service

leave a comment »

This vulnerability was reported by ‘nuh’ as we can see in the official bug report and it affects all versions greater than 0.6.24. The bug can be triggered by sending a NULL UDP packet to the Avahi daemon’s listening port (aka 5353). If we have a look in avahi-core/socket.c file we’ll see the following routine…

AvahiDnsPacket *avahi_recv_dns_packet_ipv4(
        int fd,
        AvahiIPv4Address *ret_src_address,
        uint16_t *ret_src_port,
        AvahiIPv4Address *ret_dst_address,
        AvahiIfIndex *ret_iface,
        uint8_t *ret_ttl) {

    AvahiDnsPacket *p= NULL;
    struct msghdr msg;
    struct iovec io;
    size_t aux[1024 / sizeof(size_t)]; /* for alignment on ia64 ! */
 ...
    if (ioctl(fd, FIONREAD, &ms) < 0) {
        avahi_log_warn("ioctl(): %s", strerror(errno));
        goto fail;
    }
 ...
    /* For corrupt packets FIONREAD returns zero size (See rhbz #607297) */
    if (!ms)
        goto fail;
 ...
fail:
    if (p)
        avahi_dns_packet_free(p);

    return NULL;
}

Here, this routine is used to process the received IPv4 DNS packet. After reading and storing the new message to ‘ms’ structure, it checks it against zero since there was a previous bug as you can read in the developer’s comment. The ‘fail’ label will end up calling avahi_dns_packet_free() function if it’s dealing with a non-NULL packet. However, in this case ‘p’ is NULL and it will just immediately return NULL without invoking the latter routine.
Because of this, the NULL message is never cleared and it results in an infinite loop denial of service. To fix this bug the corrupted packet check is moved after the packet retrieval as you can see in this patch. Additionally, a similar patch was applied to the equivalent IPv6 routine named avahi_recv_dns_packet_ipv6().

Written by xorl

February 20, 2011 at 14:21

Posted in bugs

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s