: refs/heads/releng/14.3
X-Git-Reftype: branch
X-Git-Commit: 3c54b204bf86dc6c84b72c3fe8820d0ce25cb354
Auto-Submitted: auto-generated
Date: Tue, 16 Dec 2025 23:43:25 +0000
Message-Id: <6941ee9d.23dad.148278e4@gitrepo.freebsd.org>

The branch releng/14.3 has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=3c54b204bf86dc6c84b72c3fe8820d0ce25cb354

commit 3c54b204bf86dc6c84b72c3fe8820d0ce25cb354
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2025-12-15 20:50:08 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2025-12-16 23:41:02 +0000

    rtsold: Validate entries in domain search lists
    
    Reported by:    Kevin Day <kevin@your.org>
    Approved by:    so
    Security:       FreeBSD-SA-25:12.rtsold
    Security:       CVE-2025-14558
---
 usr.sbin/rtsold/rtsol.c | 46 ++++++++++++++++++++++++++++++++++++++++------
 1 file changed, 40 insertions(+), 6 deletions(-)

diff --git a/usr.sbin/rtsold/rtsol.c b/usr.sbin/rtsold/rtsol.c
index 79928932ca5c..a7d5a44a7d44 100644
--- a/usr.sbin/rtsold/rtsol.c
+++ b/usr.sbin/rtsold/rtsol.c
@@ -776,6 +776,41 @@ call_script(const char *const argv[], struct script_msg_head_t *sm_head)
 		    argv[0], status);
 }
 
+#define	PERIOD 0x2e
+#define	hyphenchar(c) ((c) == 0x2d)
+#define	periodchar(c) ((c) == PERIOD)
+#define	alphachar(c) (((c) >= 0x41 && (c) <= 0x5a) || \
+	    ((c) >= 0x61 && (c) <= 0x7a))
+#define	digitchar(c) ((c) >= 0x30 && (c) <= 0x39)
+
+#define	borderchar(c) (alphachar(c) || digitchar(c))
+#define	middlechar(c) (borderchar(c) || hyphenchar(c))
+
+static int
+res_hnok(const char *dn)
+{
+	int pch = PERIOD, ch = *dn++;
+
+	while (ch != '\0') {
+		int nch = *dn++;
+
+		if (periodchar(ch)) {
+			;
+		} else if (periodchar(pch)) {
+			if (!borderchar(ch))
+				return (0);
+		} else if (periodchar(nch) || nch == '\0') {
+			if (!borderchar(ch))
+				return (0);
+		} else {
+			if (!middlechar(ch))
+				return (0);
+		}
+		pch = ch, ch = nch;
+	}
+	return (1);
+}
+
 /* Decode domain name label encoding in RFC 1035 Section 3.1 */
 static size_t
 dname_labeldec(char *dst, size_t dlen, const char *src)
@@ -804,12 +839,11 @@ dname_labeldec(char *dst, size_t dlen, const char *src)
 	}
 	*dst = '\0';
 
-	/*
-	 * XXX validate that domain name only contains valid characters
-	 * for two reasons: 1) correctness, 2) we do not want to pass
-	 * possible malicious, unescaped characters like `` to a script
-	 * or program that could be exploited that way.
-	 */
+	if (!res_hnok(dst_origin)) {
+		warnmsg(LOG_INFO, __func__,
+		    "invalid domain name '%s' was ignored", dst_origin);
+		return (0);
+	}
 
 	return (src - src_origin);
 }