603289 – (CVE-2010-2244) VUL-1: CVE-2010-2244: avahi: long packets crash avahi

Bug 603289 (CVE-2010-2244) - VUL-1: CVE-2010-2244: avahi: long packets crash avahi

Summary: VUL-1: CVE-2010-2244: avahi: long packets crash avahi

Status:	REOPENED
Duplicates (1):	646961 (view as bug list)

Alias:	CVE-2010-2244

Product:	openSUSE 11.2
Classification:	openSUSE
Component:	Basesystem (show other bugs)
Version:	Final
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal (vote)
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	E-mail List

URL:
Whiteboard:	maint:planned:update
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2010-05-06 12:55 UTC by Ludwig Nussel
Modified:	2021-12-02 12:33 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
prposed patch (913 bytes, patch) 2010-06-16 11:17 UTC, Ludwig Nussel	Details \| Diff
2nd version with ipv6 fixed too (1.17 KB, patch) 2010-06-23 08:56 UTC, Ludwig Nussel	Details \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ludwig Nussel 2010-05-06 12:55:16 UTC

On my workstation avahi crashes every once in a while during normal
operation. Now I finally managed to catch the crash in gdb:

Received response from host 10.10.4.3 with invalid source port 35247 on interface 'eth0.0'
on: running [tanana.local]: socket.c:687: avahi_recv_dns_packet_ipv4: Assertion `!(msg.msg_flags & MSG_TRUNC)' failed.

Program received signal SIGABRT, Aborted.
0x00007fee10c934e5 in raise () from /lib64/libc.so.6
(gdb) bt
#0  0x00007fee10c934e5 in raise () from /lib64/libc.so.6
#1  0x00007fee10c949b0 in abort () from /lib64/libc.so.6
#2  0x00007fee10c8c24a in __assert_fail () from /lib64/libc.so.6
#3  0x00007fee11a6209e in avahi_recv_dns_packet_ipv4 () from /usr/lib64/libavahi-core.so.6
#4  0x00007fee11a5afa2 in ?? () from /usr/lib64/libavahi-core.so.6
#5  0x00007fee11c875b8 in avahi_simple_poll_dispatch () from /usr/lib64/libavahi-common.so.3
#6  0x0000000000407d71 in run_server (c=<value optimized out>) at main.c:1096
#7  main (c=<value optimized out>) at main.c:1508


avahi hits the assertion when receiving an overly large packet.
The fix is to gracefully ignore the packet rather than exiting I
guess :-)

Comment 1 Ludwig Nussel 2010-05-06 13:28:40 UTC

I've notified upstream&vendor-sec

Comment 2 Ludwig Nussel 2010-05-07 14:50:09 UTC

upstream says it must be a kernel bug. Avahi uses ioctl FIONREAD to determine the buffer size for recvmsg. So the returned message should never be truncated.

I don't know if the actual hardware matters. So here's mine, just in case

  Model: "Intel 82566DM Gigabit Network Connection"
  Vendor: pci 0x8086 "Intel Corporation"
  Device: pci 0x104a "82566DM Gigabit Network Connection"
  SubVendor: pci 0x8086 "Intel Corporation"
  SubDevice: pci 0x0001 
  Revision: 0x02
  Driver: "e1000e"
  Driver Modules: "e1000e"

Comment 4 Thomas Biege 2010-05-14 07:35:58 UTC

mass change P5 -> P3

Comment 5 Ludwig Nussel 2010-06-16 11:17:43 UTC

Created attachment 369507 [details]
prposed patch

Comment 6 Ludwig Nussel 2010-06-23 08:56:37 UTC

Created attachment 371094 [details]
2nd version with ipv6 fixed too

Comment 7 Sebastian Krahmer 2010-06-28 11:37:26 UTC

CVE-2010-2244

Comment 8 Ludwig Nussel 2010-07-12 09:38:21 UTC

the fix is in 11.3. bug is kept on planned updates for older distros

Comment 9 Marcus Meissner 2010-10-15 14:38:49 UTC

*** Bug 646961 has been marked as a duplicate of this bug. ***

Comment 10 Thomas Leroy 2021-12-02 12:33:19 UTC

Still missing for SLE-11-SP1:Update