1CVE: CVE-2021-3468 2Upstream-Status: Submitted [https://github.com/lathiat/avahi/pull/330] 3Signed-off-by: Ross Burton <ross.burton@arm.com> 4 5From 447affe29991ee99c6b9732fc5f2c1048a611d3b Mon Sep 17 00:00:00 2001 6From: Riccardo Schirone <sirmy15@gmail.com> 7Date: Fri, 26 Mar 2021 11:50:24 +0100 8Subject: [PATCH] Avoid infinite-loop in avahi-daemon by handling HUP event in 9 client_work 10 11If a client fills the input buffer, client_work() disables the 12AVAHI_WATCH_IN event, thus preventing the function from executing the 13`read` syscall the next times it is called. However, if the client then 14terminates the connection, the socket file descriptor receives a HUP 15event, which is not handled, thus the kernel keeps marking the HUP event 16as occurring. While iterating over the file descriptors that triggered 17an event, the client file descriptor will keep having the HUP event and 18the client_work() function is always called with AVAHI_WATCH_HUP but 19without nothing being done, thus entering an infinite loop. 20 21See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984938 22--- 23 avahi-daemon/simple-protocol.c | 5 +++++ 24 1 file changed, 5 insertions(+) 25 26diff --git a/avahi-daemon/simple-protocol.c b/avahi-daemon/simple-protocol.c 27index 3e0ebb11..6c0274d6 100644 28--- a/avahi-daemon/simple-protocol.c 29+++ b/avahi-daemon/simple-protocol.c 30@@ -424,6 +424,11 @@ static void client_work(AvahiWatch *watch, AVAHI_GCC_UNUSED int fd, AvahiWatchEv 31 } 32 } 33 34+ if (events & AVAHI_WATCH_HUP) { 35+ client_free(c); 36+ return; 37+ } 38+ 39 c->server->poll_api->watch_update( 40 watch, 41 (c->outbuf_length > 0 ? AVAHI_WATCH_OUT : 0) | 42