From owner-svn-src-user@FreeBSD.ORG Sat Jun 4 01:11:35 2011 Return-Path: Delivered-To: svn-src-user@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 547061065673; Sat, 4 Jun 2011 01:11:35 +0000 (UTC) (envelope-from hrs@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 2C2038FC08; Sat, 4 Jun 2011 01:11:35 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id p541BZJ0087347; Sat, 4 Jun 2011 01:11:35 GMT (envelope-from hrs@svn.freebsd.org) Received: (from hrs@localhost) by svn.freebsd.org (8.14.4/8.14.4/Submit) id p541BZ8E087344; Sat, 4 Jun 2011 01:11:35 GMT (envelope-from hrs@svn.freebsd.org) Message-Id: <201106040111.p541BZ8E087344@svn.freebsd.org> From: Hiroki Sato Date: Sat, 4 Jun 2011 01:11:35 +0000 (UTC) To: src-committers@freebsd.org, svn-src-user@freebsd.org X-SVN-Group: user MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r222662 - in user/hrs/ipv6/usr.sbin: rtadvd rtsold X-BeenThere: svn-src-user@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the experimental " user" src tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Jun 2011 01:11:35 -0000 Author: hrs Date: Sat Jun 4 01:11:34 2011 New Revision: 222662 URL: http://svn.freebsd.org/changeset/base/222662 Log: - Add another length check for DNSSL option. A malformed ICMP message can have no '\0' in the search list and/or invalid length field. - NI_MAXHOST is defined including \0. Modified: user/hrs/ipv6/usr.sbin/rtadvd/dump.c user/hrs/ipv6/usr.sbin/rtsold/rtsol.c Modified: user/hrs/ipv6/usr.sbin/rtadvd/dump.c ============================================================================== --- user/hrs/ipv6/usr.sbin/rtadvd/dump.c Fri Jun 3 21:17:42 2011 (r222661) +++ user/hrs/ipv6/usr.sbin/rtadvd/dump.c Sat Jun 4 01:11:34 2011 (r222662) @@ -254,7 +254,7 @@ if_dump(void) TAILQ_FOREACH(dns, &rai->dnssl, dn_next) { struct dnssl_addr *dnsa; - char buf[NI_MAXHOST + 1]; + char buf[NI_MAXHOST]; if (dns == TAILQ_FIRST(&rai->dnssl)) fprintf(fp, " DNS search list:\n" @@ -295,12 +295,15 @@ dname_labeldec(char *dst, size_t dlen, c { size_t len; const char *src_origin; + const char *src_last; const char *dst_origin; src_origin = src; + src_last = strchr(src, '\0'); dst_origin = dst; memset(dst, '\0', dlen); - while (src && (len = (uint8_t)(*src++) & 0x3f)) { + while (src && (len = (uint8_t)(*src++) & 0x3f) && + (src + len) <= src_last) { if (dst != dst_origin) *dst++ = '.'; syslog(LOG_DEBUG, "<%s> labellen = %d", __func__, len); Modified: user/hrs/ipv6/usr.sbin/rtsold/rtsol.c ============================================================================== --- user/hrs/ipv6/usr.sbin/rtsold/rtsol.c Fri Jun 3 21:17:42 2011 (r222661) +++ user/hrs/ipv6/usr.sbin/rtsold/rtsol.c Sat Jun 4 01:11:34 2011 (r222662) @@ -248,7 +248,7 @@ rtsol_input(int s) struct nd_opt_dnssl *dnssl; size_t len; char nsbuf[INET6_ADDRSTRLEN + 1 + IFNAMSIZ + 1 + 1]; - char dname[NI_MAXHOST + 1]; + char dname[NI_MAXHOST]; struct timeval now; struct timeval lifetime; @@ -474,6 +474,13 @@ rtsol_input(int s) break; } + /* + * Ensure NUL-termination in DNSSL in case of + * malformed field. + */ + p = (char *)RA_OPT_NEXT_HDR(raoptp); + *(p - 1) = '\0'; + p = raoptp + sizeof(*dnssl); while (1 < (len = dname_labeldec(dname, sizeof(dname), p))) { @@ -790,12 +797,15 @@ dname_labeldec(char *dst, size_t dlen, c { size_t len; const char *src_origin; + const char *src_last; const char *dst_origin; src_origin = src; + src_last = strchr(src, '\0'); dst_origin = dst; memset(dst, '\0', dlen); - while (src && (len = (uint8_t)(*src++) & 0x3f)) { + while (src && (len = (uint8_t)(*src++) & 0x3f) && + (src + len) <= src_last) { if (dst != dst_origin) *dst++ = '.'; warnmsg(LOG_DEBUG, __func__, "labellen = %zd", len);