Date: Tue, 21 May 2019 07:04:54 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 238013] Buffer overrun in function dname_labeldec in usr.sbin/rtadvctl/rtadvctl.c Message-ID: <bug-238013-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D238013 Bug ID: 238013 Summary: Buffer overrun in function dname_labeldec in usr.sbin/rtadvctl/rtadvctl.c Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: yangx92@hotmail.com Created attachment 204501 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D204501&action= =3Dedit Proposed patch There is a buffer overrun vulnerability in function dname_labeldec in usr.sbin/rtadvctl/rtadvctl.c, which is same as vulnerability that was fixed= in https://github.com/freebsd/freebsd/commit/a9647f4732da9b517eec6d174a7c1f244= 1443729. static size_t dname_labeldec(char *dst, size_t dlen, const char *src) { size_t len; const char *src_origin; const char *src_last; const char *dst_origin; src_origin =3D src; src_last =3D strchr(src, '\0'); dst_origin =3D dst; memset(dst, '\0', dlen); while (src && (len =3D (uint8_t)(*src++) & 0x3f) && (src + len) <=3D src_last) { if (dst !=3D dst_origin) *dst++ =3D '.'; mysyslog(LOG_DEBUG, "<%s> labellen =3D %zd", __func__, len); memcpy(dst, src, len); src +=3D len; dst +=3D len; } *dst =3D '\0'; return (src - src_origin); } In the condition of while, we should limit the range of variable dst. The attachment is the proposed patch. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-238013-227>