$NetBSD: patch-ai,v 1.4 2025/02/26 11:43:05 nia Exp $

Part 1: Check lower bounds on port.

Part 2: Fix CVE-2023-38471 (https://github.com/avahi/avahi/commit/894f085f402e023a98cbb6f5a3d117bd88d93b09.patch)

--- avahi-core/server.c.orig	2020-02-17 03:41:24.939967558 +0000
+++ avahi-core/server.c
@@ -952,6 +952,11 @@ static void dispatch_packet(AvahiServer 
         return;
     }
 
+    if (port <= 0) {
+        avahi_log_warn("Received packet from invalid source port.");
+        return;
+    }
+
     if (avahi_address_is_ipv4_in_ipv6(src_address))
         /* This is an IPv4 address encapsulated in IPv6, so let's ignore it. */
         return;
@@ -1295,7 +1300,11 @@ static void update_fqdn(AvahiServer *s) 
 }
 
 int avahi_server_set_host_name(AvahiServer *s, const char *host_name) {
-    char *hn = NULL;
+    char label_escaped[AVAHI_LABEL_MAX*4+1];
+    char label[AVAHI_LABEL_MAX];
+    char *hn = NULL, *h;
+    size_t len;
+
     assert(s);
 
     AVAHI_CHECK_VALIDITY(s, !host_name || avahi_is_valid_host_name(host_name), AVAHI_ERR_INVALID_HOST_NAME);
@@ -1305,17 +1314,28 @@ int avahi_server_set_host_name(AvahiServ
     else
         hn = avahi_normalize_name_strdup(host_name);
 
-    hn[strcspn(hn, ".")] = 0;
+    h = hn;
+    if (!avahi_unescape_label((const char **)&hn, label, sizeof(label))) {
+        avahi_free(h);
+        return AVAHI_ERR_INVALID_HOST_NAME;
+    }
+
+    avahi_free(h);
 
-    if (avahi_domain_equal(s->host_name, hn) && s->state != AVAHI_SERVER_COLLISION) {
-        avahi_free(hn);
+    h = label_escaped;
+    len = sizeof(label_escaped);
+    if (!avahi_escape_label(label, strlen(label), &h, &len))
+        return AVAHI_ERR_INVALID_HOST_NAME;
+
+    if (avahi_domain_equal(s->host_name, label_escaped) && s->state != AVAHI_SERVER_COLLISION)
         return avahi_server_set_errno(s, AVAHI_ERR_NO_CHANGE);
-    }
 
     withdraw_host_rrs(s);
 
     avahi_free(s->host_name);
-    s->host_name = hn;
+    s->host_name = avahi_strdup(label_escaped);
+    if (!s->host_name)
+        return AVAHI_ERR_NO_MEMORY;
 
     update_fqdn(s);
 
