CVE-2011-1002: Avahi Daemon Remote Denial of Service
This vulnerability was reported by ‘nuh’ as we can see in the official bug report and it affects all versions greater than 0.6.24. The bug can be triggered by sending a NULL UDP packet to the Avahi daemon’s listening port (aka 5353). If we have a look in avahi-core/socket.c file we’ll see the following routine…
AvahiDnsPacket *avahi_recv_dns_packet_ipv4(
int fd,
AvahiIPv4Address *ret_src_address,
uint16_t *ret_src_port,
AvahiIPv4Address *ret_dst_address,
AvahiIfIndex *ret_iface,
uint8_t *ret_ttl) {
AvahiDnsPacket *p= NULL;
struct msghdr msg;
struct iovec io;
size_t aux[1024 / sizeof(size_t)]; /* for alignment on ia64 ! */
...
if (ioctl(fd, FIONREAD, &ms) < 0) {
avahi_log_warn("ioctl(): %s", strerror(errno));
goto fail;
}
...
/* For corrupt packets FIONREAD returns zero size (See rhbz #607297) */
if (!ms)
goto fail;
...
fail:
if (p)
avahi_dns_packet_free(p);
return NULL;
}
Here, this routine is used to process the received IPv4 DNS packet. After reading and storing the new message to ‘ms’ structure, it checks it against zero since there was a previous bug as you can read in the developer’s comment. The ‘fail’ label will end up calling avahi_dns_packet_free() function if it’s dealing with a non-NULL packet. However, in this case ‘p’ is NULL and it will just immediately return NULL without invoking the latter routine.
Because of this, the NULL message is never cleared and it results in an infinite loop denial of service. To fix this bug the corrupted packet check is moved after the packet retrieval as you can see in this patch. Additionally, a similar patch was applied to the equivalent IPv6 routine named avahi_recv_dns_packet_ipv6().
xorl %eax, %eax 
Leave a Reply