Add validity checking to TXT data parsing, this fixes a remotely exploitable vulnerab...

[catta] / avahi-common / strlst.c

diff --git a/avahi-common/strlst.c b/avahi-common/strlst.c
index 04941b4e9d116fe2d88afcfeb0047c8530cbe433..4b96112b935b8c3758bdc2271be63ae7a9b72645 100644 (file)
--- a/avahi-common/strlst.c
+++ b/avahi-common/strlst.c
@@ -68,29 +68,45 @@ AvahiStringList *avahi_string_list_add(AvahiStringList *l, const char *text) {
     return avahi_string_list_add_arbitrary(l, (const uint8_t*) text, strlen(text));
 }
 
-AvahiStringList *avahi_string_list_parse(const void* data, size_t size) {
-    AvahiStringList *r = NULL;
+int avahi_string_list_parse(const void* data, size_t size, AvahiStringList **ret) {
     const uint8_t *c;
+    AvahiStringList *r;
     
     assert(data);
+    assert(ret);
+
+    r = NULL;
 
     c = data;
-    for (;;) {
+    while (size > 0) {
         size_t k;
         
-        if (size < 1)
-            break;
-
         k = *(c++);
+        size--;
 
-        if (k > 0) /* Ignore empty strings */
-            r = avahi_string_list_add_arbitrary(r, c, k);
-        c += k;
+        if (k > size)
+            goto fail; /* Overflow */
+
+        if (k > 0) { /* Ignore empty strings */
+            AvahiStringList *n;
 
-        size -= 1 + k;
+            if (!(n = avahi_string_list_add_arbitrary(r, c, k)))  
+                goto fail; /* OOM */
+
+            r = n;
+        }
+            
+        c += k;
+        size -= k;
     }
 
-    return r;
+    *ret = r;
+    
+    return 0;
+
+fail:
+    avahi_string_list_free(*ret);
+    return -1;
 }
 
 void avahi_string_list_free(AvahiStringList *l) {