Avahi daemon dies on certain hostnames

[IvanSanchez]

If a (un)intentionally malformed mDNS response packet is received by avahi-daemon, it will die. Such a mDNS response packet contains a domain name with "strange" characters (for example, "fóobar.local" - notice the acute in "ó"). See attached ethereal capture for an example.

How to reproduce: set up a device in the local network that identifies itself as "fóobar.local", then run "avahi-browse -at". An example of devices that allow such names are the Axis IP cameras, that can be configured via HTTP to do so ("wget  http://{camera_ip_address}/axis-cgi/admin/param.cgi?action=update&Network.Bonjour.FriendlyName=fóobar").

Symptoms: "avahi-browse -at" dies with the following error message if there are no more devices in the local network: Client failure, exiting: Daemon connection failed 17956: arguments to dbus_connection_get_is_connected() were incorrect, assertion "connection != NULL" failed in file dbus-connection.c line 1984. This is normally a bug in some application using the D-BUS library. Or with this error message if there are more devices: avahi_service_browser_new() failed: Daemon not running

In either case, the avahi-daemon processes die (the dbus-daemon remains alive), and the following line gets into the syslog: Mar 21 18:17:45 localhost avahi-daemon[17964]: Disconnnected from D-BUS, terminating...

In the same scenario, Bonjour seems to ignore those "strange" characters in the domain name (i.e. "fóobar.local" becomes "fobar.local"). It's worth noting that blank spaces in the domain name remain intact.

Related discussion on the mailing list:  http://lists.freedesktop.org/archives/avahi/2006-March/000586.html

[IvanSanchez]

ethereal capture of "killer" mDNS response

[IvanSanchez]

strace of avahi-daemon before dying

[lennart]

Actually Avahi never does any UTF8 validity checks. Hence, if some other host registers a service with broken UTF8 and avahi passes info about this service over DBUS avahi will die. That opens avahi for easy DoS attacks. Humm. That sucks. DBUS shouldn't make UTF8 validity tests like that.

I will investigate this futher.

[IvanSanchez]

An iBook named "fóobar" mDNS response, does not kill avahi

[lennart]

(In [1194]) strip characters that are not in the set [a-zA-Z0-9-] from the local host name before using it in mDNS. (see #21)

[lennart]

(In [1202]) add an utf8 check when unescaping domains - essentially this means that all domain related functions will now consider strings with invalid utf8 as invalid (see #21)

[lennart]

Ivan, could you please test current SVN of Avahi if it detects the invalid UTF8 hostnames properly now? It should simply print a message to syslog and ignore the records. I would like to close this bug now.

[lennart]

Ivan, any updates on this?

[IvanSanchez]

Lennart,

Recent SVN versions (2006-04-25) of avahi work as expected. Avahi-daemon doesn't die, and hosts with invalid hostnames are ignored.

And yes: avahi-daemon prints the "server.c: Packet too short or invalid while reading response record. (Maybe an UTF8 problem?)" error message.