From owner-svn-src-all@freebsd.org Tue Dec 6 18:49:39 2016 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D3410C6A51D; Tue, 6 Dec 2016 18:49:39 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id ADE0E1023; Tue, 6 Dec 2016 18:49:39 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uB6IncaW016925; Tue, 6 Dec 2016 18:49:38 GMT (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uB6Incav016919; Tue, 6 Dec 2016 18:49:38 GMT (envelope-from glebius@FreeBSD.org) Message-Id: <201612061849.uB6Incav016919@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: glebius set sender to glebius@FreeBSD.org using -f From: Gleb Smirnoff Date: Tue, 6 Dec 2016 18:49:38 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r309633 - in releng/11.0: . contrib/telnet/telnetd lib/libc/net lib/libvmmapi sys/conf X-SVN-Group: releng MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Dec 2016 18:49:39 -0000 Author: glebius Date: Tue Dec 6 18:49:38 2016 New Revision: 309633 URL: https://svnweb.freebsd.org/changeset/base/309633 Log: Fix possible login(1) argument injection in telnetd(8). [SA-16:36] Fix link_ntoa(3) buffer overflow in libc. [SA-16:37] Fix possible escape from bhyve(8) virtual machine. [SA-16:38] Fix warnings about valid time zone abbreviations. [EN-16:19] Update timezone database information. [EN-16:20] Fix incorrectly defined unicode character(s). [EN-16:21] Security: FreeBSD-SA-16:36.telnetd Security: FreeBSD-SA-16:37.libc Security: FreeBSD-SA-16:38.bhyve Errata Notice: FreeBSD-EN-16:19.tzcode Errata Notice: FreeBSD-EN-16:20.tzdata Errata Notice: FreeBSD-EN-16:21.localedef Approved by: so Modified: releng/11.0/UPDATING releng/11.0/contrib/telnet/telnetd/sys_term.c releng/11.0/lib/libc/net/linkaddr.c releng/11.0/lib/libvmmapi/vmmapi.c releng/11.0/sys/conf/newvers.sh Modified: releng/11.0/UPDATING ============================================================================== --- releng/11.0/UPDATING Tue Dec 6 18:35:10 2016 (r309632) +++ releng/11.0/UPDATING Tue Dec 6 18:49:38 2016 (r309633) @@ -16,6 +16,20 @@ from older versions of FreeBSD, try WITH the tip of head, and then rebuild without this option. The bootstrap process from older version of current across the gcc/clang cutover is a bit fragile. +20161206 p4 FreeBSD-SA-16:36.telnetd + FreeBSD-SA-16:37.libc + FreeBSD-SA-16:38.bhyve + FreeBSD-EN-16:19.tzcode + FreeBSD-EN-16:20.tzdata + FreeBSD-EN-16:21.localedef + + Fix possible login(1) argument injection in telnetd(8). [SA-16:36] + Fix link_ntoa(3) buffer overflow in libc. [SA-16:37] + Fix possible escape from bhyve(8) virtual machine. [SA-16:38] + Fix warnings about valid time zone abbreviations. [EN-16:19] + Update timezone database information. [EN-16:20] + Fix incorrectly defined unicode character(s). [EN-16:21] + 20161102 p3 FreeBSD-SA-16:33.openssh Fix Fix OpenSSH remote Denial of Service vulnerability. Modified: releng/11.0/contrib/telnet/telnetd/sys_term.c ============================================================================== --- releng/11.0/contrib/telnet/telnetd/sys_term.c Tue Dec 6 18:35:10 2016 (r309632) +++ releng/11.0/contrib/telnet/telnetd/sys_term.c Tue Dec 6 18:49:38 2016 (r309633) @@ -1159,7 +1159,7 @@ addarg(char **argv, const char *val) */ argv = (char **)malloc(sizeof(*argv) * 12); if (argv == NULL) - return(NULL); + fatal(net, "failure allocating argument space"); *argv++ = (char *)10; *argv = (char *)0; } @@ -1170,11 +1170,12 @@ addarg(char **argv, const char *val) *argv = (char *)((long)(*argv) + 10); argv = (char **)realloc(argv, sizeof(*argv)*((long)(*argv) + 2)); if (argv == NULL) - return(NULL); + fatal(net, "failure allocating argument space"); argv++; cpp = &argv[(long)argv[-1] - 10]; } - *cpp++ = strdup(val); + if ((*cpp++ = strdup(val)) == NULL) + fatal(net, "failure allocating argument space"); *cpp = 0; return(argv); } Modified: releng/11.0/lib/libc/net/linkaddr.c ============================================================================== --- releng/11.0/lib/libc/net/linkaddr.c Tue Dec 6 18:35:10 2016 (r309632) +++ releng/11.0/lib/libc/net/linkaddr.c Tue Dec 6 18:49:38 2016 (r309633) @@ -35,6 +35,7 @@ __FBSDID("$FreeBSD$"); #include #include +#include #include #include @@ -122,31 +123,47 @@ char * link_ntoa(const struct sockaddr_dl *sdl) { static char obuf[64]; - char *out = obuf; - int i; - u_char *in = (u_char *)LLADDR(sdl); - u_char *inlim = in + sdl->sdl_alen; - int firsttime = 1; - - if (sdl->sdl_nlen) { - bcopy(sdl->sdl_data, obuf, sdl->sdl_nlen); - out += sdl->sdl_nlen; - if (sdl->sdl_alen) + _Static_assert(sizeof(obuf) >= IFNAMSIZ + 20, "obuf is too small"); + char *out; + const char *in, *inlim; + int namelen, i, rem; + + namelen = (sdl->sdl_nlen <= IFNAMSIZ) ? sdl->sdl_nlen : IFNAMSIZ; + + out = obuf; + rem = sizeof(obuf); + if (namelen > 0) { + bcopy(sdl->sdl_data, out, namelen); + out += namelen; + rem -= namelen; + if (sdl->sdl_alen > 0) { *out++ = ':'; + rem--; + } } - while (in < inlim) { - if (firsttime) - firsttime = 0; - else + + in = (const char *)sdl->sdl_data + sdl->sdl_nlen; + inlim = in + sdl->sdl_alen; + + while (in < inlim && rem > 1) { + if (in != (const char *)sdl->sdl_data + sdl->sdl_nlen) { *out++ = '.'; + rem--; + } i = *in++; if (i > 0xf) { - out[1] = hexlist[i & 0xf]; + if (rem < 3) + break; + *out++ = hexlist[i & 0xf]; i >>= 4; - out[0] = hexlist[i]; - out += 2; - } else *out++ = hexlist[i]; + rem -= 2; + } else { + if (rem < 2) + break; + *out++ = hexlist[i]; + rem++; + } } *out = 0; return (obuf); Modified: releng/11.0/lib/libvmmapi/vmmapi.c ============================================================================== --- releng/11.0/lib/libvmmapi/vmmapi.c Tue Dec 6 18:35:10 2016 (r309632) +++ releng/11.0/lib/libvmmapi/vmmapi.c Tue Dec 6 18:49:38 2016 (r309633) @@ -426,13 +426,18 @@ vm_map_gpa(struct vmctx *ctx, vm_paddr_t { if (ctx->lowmem > 0) { - if (gaddr < ctx->lowmem && gaddr + len <= ctx->lowmem) + if (gaddr < ctx->lowmem && len <= ctx->lowmem && + gaddr + len <= ctx->lowmem) return (ctx->baseaddr + gaddr); } if (ctx->highmem > 0) { - if (gaddr >= 4*GB && gaddr + len <= 4*GB + ctx->highmem) - return (ctx->baseaddr + gaddr); + if (gaddr >= 4*GB) { + if (gaddr < 4*GB + ctx->highmem && + len <= ctx->highmem && + gaddr + len <= 4*GB + ctx->highmem) + return (ctx->baseaddr + gaddr); + } } return (NULL); Modified: releng/11.0/sys/conf/newvers.sh ============================================================================== --- releng/11.0/sys/conf/newvers.sh Tue Dec 6 18:35:10 2016 (r309632) +++ releng/11.0/sys/conf/newvers.sh Tue Dec 6 18:49:38 2016 (r309633) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="11.0" -BRANCH="RELEASE-p3" +BRANCH="RELEASE-p4" if [ -n "${BRANCH_OVERRIDE}" ]; then BRANCH=${BRANCH_OVERRIDE} fi