Add validity checking to TXT data parsing, this fixes a remotely exploitable vulnerab...

[catta] / avahi-client / client.c

diff --git a/avahi-client/client.c b/avahi-client/client.c
index 8bc515ee5aa42ff38f99fc5dccca25cda6c920f5..ce4cfa0df4eb03d38e46b687198cd89e484fba82 100644 (file)
--- a/avahi-client/client.c
+++ b/avahi-client/client.c
@@ -67,9 +67,9 @@ static void client_set_state (AvahiClient *client, AvahiServerState state) {
                 dbus_connection_unref(client->bus);
                 client->bus = NULL;
             }
-
+            
             /* Fall through */
-
+            
         case AVAHI_CLIENT_S_COLLISION:
         case AVAHI_CLIENT_S_REGISTERING:
 
@@ -83,7 +83,6 @@ static void client_set_state (AvahiClient *client, AvahiServerState state) {
             client->domain_name = NULL;
             break;
 
-        case AVAHI_CLIENT_S_INVALID:
         case AVAHI_CLIENT_S_RUNNING:
             break;
             
@@ -118,12 +117,12 @@ static DBusHandlerResult filter_func(DBusConnection *bus, DBusMessage *message,
     } if (dbus_message_is_signal(message, DBUS_INTERFACE_DBUS, "NameOwnerChanged")) {
         char *name, *old, *new;
         
-        if (!(dbus_message_get_args(
+        if (!dbus_message_get_args(
                   message, &error,
                   DBUS_TYPE_STRING, &name,
                   DBUS_TYPE_STRING, &old,
                   DBUS_TYPE_STRING, &new,
-                  DBUS_TYPE_INVALID) || dbus_error_is_set (&error))) {
+                  DBUS_TYPE_INVALID) || dbus_error_is_set (&error)) {
 
             fprintf(stderr, "WARNING: Failed to parse NameOwnerChanged signal: %s\n", error.message);
             goto fail;
@@ -139,15 +138,21 @@ static DBusHandlerResult filter_func(DBusConnection *bus, DBusMessage *message,
 
     } else if (dbus_message_is_signal (message, AVAHI_DBUS_INTERFACE_SERVER, "StateChanged")) {
         int32_t state;
+        char *e = NULL;
+        int c;
         
-        if (!(dbus_message_get_args(
+        if (!dbus_message_get_args(
                   message, &error,
                   DBUS_TYPE_INT32, &state,
-                  DBUS_TYPE_INVALID) || dbus_error_is_set (&error))) {
+                  DBUS_TYPE_STRING, &e,
+                  DBUS_TYPE_INVALID) || dbus_error_is_set (&error)) {
             fprintf(stderr, "WARNING: Failed to parse Server.StateChanged signal: %s\n", error.message);
             goto fail;
         }
-            
+
+        if ((c = avahi_error_dbus_to_number(e)) != AVAHI_OK)
+            avahi_client_set_errno(client, c);
+        
         client_set_state(client, (AvahiClientState) state);
 
     } else if (dbus_message_is_signal (message, AVAHI_DBUS_INTERFACE_ENTRY_GROUP, "StateChanged")) {
@@ -161,11 +166,21 @@ static DBusHandlerResult filter_func(DBusConnection *bus, DBusMessage *message,
         
         if (g) {
             int32_t state;
-            if (!(dbus_message_get_args (message, &error, DBUS_TYPE_INT32, &state, DBUS_TYPE_INVALID)) ||
+            char *e;
+            int c;
+            
+            if (!dbus_message_get_args(
+                      message, &error,
+                      DBUS_TYPE_INT32, &state,
+                      DBUS_TYPE_STRING, &e,
+                      DBUS_TYPE_INVALID) ||
                 dbus_error_is_set(&error)) {
                 fprintf(stderr, "WARNING: Failed to parse EntryGroup.StateChanged signal: %s\n", error.message);
                 goto fail;
             }
+
+            if ((c = avahi_error_dbus_to_number(e)) != AVAHI_OK)
+                avahi_client_set_errno(client, c);
             
             avahi_entry_group_set_state(g, state);
         }
@@ -244,7 +259,7 @@ static int get_server_state(AvahiClient *client, int *ret_error) {
     if (!reply || dbus_error_is_set (&error))
         goto fail;
 
-    if (!(dbus_message_get_args(reply, &error, DBUS_TYPE_INT32, &state, DBUS_TYPE_INVALID)) ||
+    if (!dbus_message_get_args(reply, &error, DBUS_TYPE_INT32, &state, DBUS_TYPE_INVALID) ||
         dbus_error_is_set (&error))
         goto fail;