Bug#517683: avahi-daemon: reflector creates packet storm on legacy unicast traffic
Rob Leslie
Version: 0.6.23-3lenny1
Severity: important
Tags: patch
The avahi-daemon reflector contains a bug that causes packet storms when
reflecting legacy unicast mDNS traffic. What happens is the reflector
forwards the initial multicast query onto the other interfaces, and then
receives it back from the same interfaces (IP_MULTICAST_LOOP) but doesn't
recognize it as the legacy unicast packet it just forwarded. It therefore
acts as though it were a separate query and forwards it back onto all the
other interfaces (including the original) and the process repeats ad
infinitum -- until the box locks up (I've had some automatically reboot via
watchdog) or if lucky the legacy unicast reflection slots that avahi-daemon
maintains will fill up and the storm will abate. A symptom of the latter
case is the syslog message "No slot available for legacy unicast reflection,
dropping query packet." (See also Avahi ticket #216 which seems to be
indicative of this problem.)
The problem is that the originates_from_local_legacy_unicast_socket()
routine in avahi-core/server.c fails to take the network byte order of
.sin_port into account when examining incoming multicast packets. The
attached patch corrects this problem.
-- System Information:
Debian Release: 5.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-1-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages avahi-daemon depends on:
ii adduser 3.110 add and remove users and groups
ii bind9-host [host] 1:9.5.1.dfsg.P1-1 Version of 'host' bundled with BIN
ii dbus 1.2.1-5 simple interprocess messaging syst
ii libavahi-common3 0.6.23-3lenny1 Avahi common library
ii libavahi-core5 0.6.23-3lenny1 Avahi's embeddable mDNS/DNS-SD lib
ii libc6 2.7-18 GNU C Library: Shared libraries
ii libcap2 2.11-2 support for getting/setting POSIX.
ii libdaemon0 0.12-2lenny1 lightweight C library for daemons
ii libdbus-1-3 1.2.1-5 simple interprocess messaging syst
ii libexpat1 2.0.1-4 XML parsing C library - runtime li
ii lsb-base 3.2-20 Linux Standard Base 3.2 init scrip
Versions of packages avahi-daemon recommends:
ii libnss-mdns 0.10-3 NSS module for Multicast DNS name
Versions of packages avahi-daemon suggests:
pn avahi-autoipd <none> (no description available)
-- no debconf information
Rob Leslie
>> Nico, do you consider that important enough for a s-s-u upload?
>
> As avahi is mostly used on end-user desktop machines and this
> feature is switched off by default (and I don't expect end-users and
> typical desktop users to switch it on) I'd say no. I would be happy
> if you upload a fixed package to stable and oldstable directly.
> Please raise your voice if you have a different opinion about that!
While I agree that avahi-daemon is mostly used on end-user
workstations with the reflector disabled, anyone who intentionally
enables the reflector is obviously operating in a fundamentally
different environment (e.g. multi-homed router) and it is precisely
that environment which elevates the risk of exposure.
In other words, while I agree the risk to desktop users is minimal and
doesn't merit special handling, the risk to other users is much higher
and I hope you will also take them into account.
I suspect the at-risk category of users will particularly include
enterprise networks[1].
Sincerely,
Rob Leslie
r...@mars.org
[1] See for example this fellow at Disney who seems to have been
unknowingly bitten by this bug:
http://lists.freedesktop.org/archives/avahi/2008-March/001325.html
--
To UNSUBSCRIBE, email to debian-bugs-...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org