From owner-svn-src-all@freebsd.org Wed Dec 7 14:43:21 2016 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 640BFC6B39A for ; Wed, 7 Dec 2016 14:43:21 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: from mail-qt0-x232.google.com (mail-qt0-x232.google.com [IPv6:2607:f8b0:400d:c0d::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 19B811C07 for ; Wed, 7 Dec 2016 14:43:21 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: by mail-qt0-x232.google.com with SMTP id n6so380502842qtd.1 for ; Wed, 07 Dec 2016 06:43:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd-org.20150623.gappssmtp.com; s=20150623; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=5FkVwb/hYsVWEAxiAffFxWDEEBoQtAWtg+XA3AHhGSM=; b=Nk8i58Hy4GeDm691nLZHD5zkc2uuvZ6jQAHyndZyV4xdBKdTmnTQQ8yaRXVVHlIyHL 9TLYeDXl0t15FO8u3wigi/oP2PjfB2qp8CACIl2mWUVxZcICo1NjG7oRCBD4zJxio1xI c09ATywCxTd+WbVB6zCYT6ClrgOvm//MnbMAoKw0vo7EAJH/Q/Y4rcs9I7rbYW6618Pi CplR+62Wdt6s1MT1vlzpDQAVRo0DHHVizQh9VRMiZq5rHxRuoKo2T3Zdyvtw0HoV8GwM nQag7tmWWn3mRb+R5iG/P+hut+FtX667hSv8BsQoFhhL4s6L3K39wZfv/lQ8ip0MU6SE 1H6Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=5FkVwb/hYsVWEAxiAffFxWDEEBoQtAWtg+XA3AHhGSM=; b=R0cZ6OCJdge4PjXUCKMKgzA5tNmqvt1lHHYCibWrqaFsKAn4yCy64o+Y48TOhw55fe sk5otbNnIxUfLwG1o8U1h3N35rY42T318HDuWcmrEIbx3YcMNxiK4NpHjz5UdLIELpMq B/HwnCWNoZLuSJdqdyusEB5SMlqLg5G9YQNUGX5TYcbN2p1fuQyFAVZ7353kjYjajK7u Hz+fWDsNsE3rVe3LpGV9n1pi6Zd+4RI2Xy6tlhDg5sVRLHLxBOxhc3igMWwciutLuWwQ kmqfj+BWdEZZaLqkidStu8tWUCFesZCbUN6ZYkuN8YWUN0hzHe2gWhDsK4Yd1v7UXsK0 d/cQ== X-Gm-Message-State: AKaTC01J/Q0d9qqoEshyT4hE/VfPl5tdQvFgQ3n4PxAhz7XX0GfAeychCGEWapAq2Be62qOB X-Received: by 10.200.40.55 with SMTP id 52mr69230465qtq.283.1481121800048; Wed, 07 Dec 2016 06:43:20 -0800 (PST) Received: from mutt-hardenedbsd ([63.88.83.66]) by smtp.gmail.com with ESMTPSA id i187sm4213880qkd.20.2016.12.07.06.43.18 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 07 Dec 2016 06:43:18 -0800 (PST) Date: Wed, 7 Dec 2016 09:43:17 -0500 From: Shawn Webb To: Gleb Smirnoff Cc: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r309639 - head/lib/libc/net Message-ID: <20161207144317.GB29174@mutt-hardenedbsd> References: <201612061850.uB6IoY1U017268@repo.freebsd.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="Bn2rw/3z4jIqBvZU" Content-Disposition: inline In-Reply-To: <201612061850.uB6IoY1U017268@repo.freebsd.org> X-Operating-System: FreeBSD mutt-hardenedbsd 12.0-CURRENT-HBSD FreeBSD 12.0-CURRENT-HBSD X-PGP-Key: http://pgp.mit.edu/pks/lookup?op=vindex&search=0x6A84658F52456EEE User-Agent: Mutt/1.6.1 (2016-04-27) X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Dec 2016 14:43:21 -0000 --Bn2rw/3z4jIqBvZU Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Dec 06, 2016 at 06:50:34PM +0000, Gleb Smirnoff wrote: > Author: glebius > Date: Tue Dec 6 18:50:33 2016 > New Revision: 309639 > URL: https://svnweb.freebsd.org/changeset/base/309639 >=20 > Log: > Fix possible buffer overflow(s) in link_ntoa(3). > =20 > A specially crafted sockaddr_dl argument can trigger a static buffer ov= erflow > in the libc library, with possibility to rewrite with arbitrary data fo= llowing > static buffers that belong to other library functions. > =20 > Reviewed by: kib > Security: FreeBSD-SA-16:37.libc >=20 > Modified: > head/lib/libc/net/linkaddr.c >=20 > Modified: head/lib/libc/net/linkaddr.c > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D > --- head/lib/libc/net/linkaddr.c Tue Dec 6 18:50:22 2016 (r309638) > +++ head/lib/libc/net/linkaddr.c Tue Dec 6 18:50:33 2016 (r309639) > @@ -35,6 +35,7 @@ __FBSDID("$FreeBSD$"); > =20 > #include > #include > +#include > #include > #include > =20 > @@ -122,31 +123,47 @@ char * > link_ntoa(const struct sockaddr_dl *sdl) > { > static char obuf[64]; > - char *out =3D obuf; > - int i; > - u_char *in =3D (u_char *)LLADDR(sdl); > - u_char *inlim =3D in + sdl->sdl_alen; > - int firsttime =3D 1; > - > - if (sdl->sdl_nlen) { > - bcopy(sdl->sdl_data, obuf, sdl->sdl_nlen); > - out +=3D sdl->sdl_nlen; > - if (sdl->sdl_alen) > + _Static_assert(sizeof(obuf) >=3D IFNAMSIZ + 20, "obuf is too small"); > + char *out; > + const char *in, *inlim; > + int namelen, i, rem; > + > + namelen =3D (sdl->sdl_nlen <=3D IFNAMSIZ) ? sdl->sdl_nlen : IFNAMSIZ; > + > + out =3D obuf; > + rem =3D sizeof(obuf); > + if (namelen > 0) { > + bcopy(sdl->sdl_data, out, namelen); > + out +=3D namelen; > + rem -=3D namelen; > + if (sdl->sdl_alen > 0) { > *out++ =3D ':'; > + rem--; > + } > } > - while (in < inlim) { > - if (firsttime) > - firsttime =3D 0; > - else > + > + in =3D (const char *)sdl->sdl_data + sdl->sdl_nlen; > + inlim =3D in + sdl->sdl_alen; > + > + while (in < inlim && rem > 1) { > + if (in !=3D (const char *)sdl->sdl_data + sdl->sdl_nlen) { > *out++ =3D '.'; > + rem--; > + } > i =3D *in++; > if (i > 0xf) { > - out[1] =3D hexlist[i & 0xf]; > + if (rem < 3) > + break; > + *out++ =3D hexlist[i & 0xf]; > i >>=3D 4; > - out[0] =3D hexlist[i]; > - out +=3D 2; > - } else > *out++ =3D hexlist[i]; > + rem -=3D 2; > + } else { > + if (rem < 2) > + break; > + *out++ =3D hexlist[i]; > + rem++; rem++ is incorrect. It should be rem--. HardenedBSD has a fix here: https://github.com/HardenedBSD/hardenedBSD/commit/fb823297fbced336b6beeeb62= 4e2dc65b67aa0eb > + } > } > *out =3D 0; > return (obuf); Thanks, --=20 Shawn Webb Cofounder and Security Engineer HardenedBSD GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE --Bn2rw/3z4jIqBvZU Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJYSCACAAoJEGqEZY9SRW7u2HIQAJhX8ipRbKj519S+YzM8qe8s 0TU2Me3OVjYzH74DQm5OeS8y67G/mx4cjdwtUeSG59fUCT/Q7hXcGLeo3MV9BUAI md/VWhD8e/0cvPC+CctbOHPrrTjOEtydjAF6Xx2osme5XLFFRiq4kw1bUq0KrupI Ql/ILSktviMk8hyqgp+UgKZXytREQMn7nvPPXqdvduEEHr//Pj30sAD9FofFCuUE B4MzCpKpRL14HL5GYv1ocOrPpKBG2rjF7q/nN3o3YO/kKKATa9o7iPyw0l6WMJC9 a39fC107vRwvkPoENApLsXhQv2Gcsh0jSMfnaFGw3BQw7UmFCeSqEoff20gCEp7r ye4T0LARICm86SS5qSgPugMgiYNoCESKbiark06LlhNRrCelmXXuRKC1OwvJkRB5 V4beg2rfrmz9z5xyyfDoLbohn1gLcmwKqBLn8D5Du8ERX0RrYOHzFQLu50RUcXXy gOV9cfzA7vUfpPS72YEqDcRbj7zBtfxLLyCM0e5Q+AagsM7MilUG2VWjpYg6FWuN lUhNwwwTU/qwXXGvZaiaxauE3b8kqzPMYOg7CQMdqQKHL3uBp35YlaKTLgFYHJ1P 0veh56TSIEstWnYD36ekvyACUJ2rytwpI32Sn2Z4rgIyUN2Bnn+qnbgtHWnqpt3h hZAOl/J1yH17uQD7Z36c =Bnls -----END PGP SIGNATURE----- --Bn2rw/3z4jIqBvZU--