From a337a1ba7d15853fb56deef1f464529af6e3a1cf Mon Sep 17 00:00:00 2001
From: Evgeny Vereshchagin <evvers@ya.ru>
Date: Mon, 23 Oct 2023 20:29:31 +0000
Subject: [PATCH] core: reject overly long TXT resource records

Closes https://github.com/lathiat/avahi/issues/455

CVE-2023-38469

Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38469-1.patch?h=ubuntu/focal-security
Upstream commit https://github.com/lathiat/avahi/commit/a337a1ba7d15853fb56deef1f464529af6e3a1cf]
CVE: CVE-2023-38469
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
 avahi-core/rr.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

Index: avahi-0.7/avahi-core/rr.c
===================================================================
--- avahi-0.7.orig/avahi-core/rr.c
+++ avahi-0.7/avahi-core/rr.c
@@ -32,6 +32,7 @@
 #include <avahi-common/malloc.h>
 #include <avahi-common/defs.h>
 
+#include "dns.h"
 #include "rr.h"
 #include "log.h"
 #include "util.h"
@@ -688,11 +689,17 @@ int avahi_record_is_valid(AvahiRecord *r
         case AVAHI_DNS_TYPE_TXT: {
 
             AvahiStringList *strlst;
+            size_t used = 0;
 
-            for (strlst = r->data.txt.string_list; strlst; strlst = strlst->next)
+            for (strlst = r->data.txt.string_list; strlst; strlst = strlst->next) {
                 if (strlst->size > 255 || strlst->size <= 0)
                     return 0;
 
+                used += 1+strlst->size;
+                if (used > AVAHI_DNS_RDATA_MAX)
+                    return 0;
+            }
+
             return 1;
         }
     }