From nobody Mon Dec 22 21:25:44 2025
X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dZrm42LDSz6LfSL
	for <freebsd-security@mlmmj.nyi.freebsd.org>; Mon, 22 Dec 2025 21:25:56 +0000 (UTC)
	(envelope-from mike@sentex.net)
Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [IPv6:2607:f3e0:0:1::12])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "smarthost1.sentex.ca", Issuer "R13" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4dZrm41nQvz48xP
	for <freebsd-security@freebsd.org>; Mon, 22 Dec 2025 21:25:56 +0000 (UTC)
	(envelope-from mike@sentex.net)
Authentication-Results: mx1.freebsd.org;
	none
Received: from pyroxene2a.sentex.ca (pyroxene19.sentex.ca [199.212.134.19])
	by smarthost1.sentex.ca (8.18.1/8.18.1) with ESMTPS id 5BMLPj7a048636
	(version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=FAIL);
	Mon, 22 Dec 2025 16:25:45 -0500 (EST)
	(envelope-from mike@sentex.net)
Received: from [IPV6:2607:f3e0:0:4:8878:3fe3:dbff:f34f] ([IPv6:2607:f3e0:0:4:8878:3fe3:dbff:f34f])
	by pyroxene2a.sentex.ca (8.18.1/8.15.2) with ESMTPS id 5BMLPivQ007886
	(version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO);
	Mon, 22 Dec 2025 16:25:44 -0500 (EST)
	(envelope-from mike@sentex.net)
Message-ID: <a4d9d318-e92c-4294-94e3-0d7b5a0126de@sentex.net>
Date: Mon, 22 Dec 2025 16:25:44 -0500
List-Id: Security issues <freebsd-security.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-security
List-Help: <mailto:freebsd-security+help@freebsd.org>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Subscribe: <mailto:freebsd-security+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-security+unsubscribe@freebsd.org>
X-BeenThere: freebsd-security@freebsd.org
Sender: owner-freebsd-security@FreeBSD.org
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: FreeBSD-SA-25:12.rtsold.asc clarification needed
To: Polarian <polarian@polarian.dev>, freebsd-security@freebsd.org
References: <a4d9a76b-3812-475e-9f2f-b885c5f5960a@sentex.net>
 <20251222210308.4352ee6f@Hydrogen>
 <479965af-2f24-4ee5-b938-adc1e5eea2a4@sentex.net>
 <20251222211100.3f245825@Hydrogen>
Content-Language: en-US
From: mike tancsa <mike@sentex.net>
Autocrypt: addr=mike@sentex.net; keydata=
 xsBNBFywzOMBCACoNFpwi5MeyEREiCeHtbm6pZJI/HnO+wXdCAWtZkS49weOoVyUj5BEXRZP
 xflV2ib2hflX4nXqhenaNiia4iaZ9ft3I1ebd7GEbGnsWCvAnob5MvDZyStDAuRxPJK1ya/s
 +6rOvr+eQiXYNVvfBhrCfrtR/esSkitBGxhUkBjOti8QwzD71JVF5YaOjBAs7jZUKyLGj0kW
 yDg4jUndudWU7G2yc9GwpHJ9aRSUN8e/mWdIogK0v+QBHfv/dsI6zVB7YuxCC9Fx8WPwfhDH
 VZC4kdYCQWKXrm7yb4TiVdBh5kgvlO9q3js1yYdfR1x8mjK2bH2RSv4bV3zkNmsDCIxjABEB
 AAHNHW1pa2UgdGFuY3NhIDxtaWtlQHNlbnRleC5uZXQ+wsCOBBMBCAA4FiEEmuvCXT0aY6hs
 4SbWeVOEFl5WrMgFAl+pQfkCGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQeVOEFl5W
 rMiN6ggAk3H5vk8QnbvGbb4sinxZt/wDetgk0AOR9NRmtTnPaW+sIJEfGBOz47Xih+f7uWJS
 j+uvc9Ewn2Z7n8z3ZHJlLAByLVLtcNXGoRIGJ27tevfOaNqgJHBPbFOcXCBBFTx4MYMM4iAZ
 cDT5vsBTSaM36JZFtHZBKkuFEItbA/N8ZQSHKdTYMIA7A3OCLGbJBqloQ8SlW4MkTzKX4u7R
 yefAYQ0h20x9IqC5Ju8IsYRFacVZconT16KS81IBceO42vXTN0VexbVF2rZIx3v/NT75r6Vw
 0FlXVB1lXOHKydRA2NeleS4NEG2vWqy/9Boj0itMfNDlOhkrA/0DcCurMpnpbM7ATQRcsMzk
 AQgA1Dpo/xWS66MaOJLwA28sKNMwkEk1Yjs+okOXDOu1F+0qvgE8sVmrOOPvvWr4axtKRSG1
 t2QUiZ/ZkW/x/+t0nrM39EANV1VncuQZ1ceIiwTJFqGZQ8kb0+BNkwuNVFHRgXm1qzAJweEt
 RdsCMohB+H7BL5LGCVG5JaU0lqFU9pFP40HxEbyzxjsZgSE8LwkI6wcu0BLv6K6cLm0EiHPO
 l5G8kgRi38PS7/6s3R8QDsEtbGsYy6O82k3zSLIjuDBwA9GRaeigGppTxzAHVjf5o9KKu4O7
 gC2KKVHPegbXS+GK7DU0fjzX57H5bZ6komE5eY4p3oWT/CwVPSGfPs8jOwARAQABwsB2BBgB
 CAAgFiEEmuvCXT0aY6hs4SbWeVOEFl5WrMgFAl+pQfkCGwwACgkQeVOEFl5WrMiVqwf9GwU8
 c6cylknZX8QwlsVudTC8xr/L17JA84wf03k3d4wxP7bqy5AYy7jboZMbgWXngAE/HPQU95NM
 aukysSnknzoIpC96XZJ0okLBXVS6Y0ylZQ+HrbIhMpuQPoDweoF5F9wKrsHRoDaUK1VR706X
 rwm4HUzh7Jk+auuMYfuCh0FVlFBEuiJWMLhg/5WCmcRfiuB6F59ZcUQrwLEZeNhF2XJV4KwB
 Tlg7HCWO/sy1foE5noaMyACjAtAQE9p5kGYaj+DuRhPdWUTsHNuqrhikzIZd2rrcMid+ktb0
 NvtvswzMO059z1YGMtGSqQ4srCArju+XHIdTFdiIYbd7+jeehg==
In-Reply-To: <20251222211100.3f245825@Hydrogen>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Scanned-By: MIMEDefang 2.86
X-Spamd-Bar: ----
X-Spamd-Result: default: False [-4.00 / 15.00];
	REPLY(-4.00)[];
	ASN(0.00)[asn:11647, ipnet:2607:f3e0::/32, country:CA]
X-Rspamd-Pre-Result: action=no action;
	module=replies;
	Message is reply to one we originated
X-Rspamd-Queue-Id: 4dZrm41nQvz48xP

On 12/22/2025 4:11 PM, Polarian wrote:
> Hey,
>
>> I only see a code change for the userland daemon. Is that code
>> somehow being pulled into the the kernel during buildworld ?
> Both rtsold and rtsol afaik are userland. I have not inspected the
> build, but someone else from #freebsd did and stated both of them are
> compiled together.

I am trying to understand if rtsold is not running and not enabled, what 
from the kernel would spin that up to expose the code path that is 
patched in the advisory?

There is only one file (userland) touched in the patch (its below). 
rtsol is based on /usr/src/usr.sbin/rtsold so the one patch seems to 
cover both of those userland files.  I dont see any archive of the irc 
chat. Do you have the text from that explaining how this code path gets 
called ? I have never heard of userland src files in FreeBSD being 
included in the kernel. Your friend is certain of this ?


--- usr.sbin/rtsold/rtsol.c.orig
+++ usr.sbin/rtsold/rtsol.c
@@ -776,6 +776,41 @@
                     argv[0], status);
  }

+#define        PERIOD 0x2e
+#define        hyphenchar(c) ((c) == 0x2d)
+#define        periodchar(c) ((c) == PERIOD)
+#define        alphachar(c) (((c) >= 0x41 && (c) <= 0x5a) || \
+           ((c) >= 0x61 && (c) <= 0x7a))
+#define        digitchar(c) ((c) >= 0x30 && (c) <= 0x39)
+
+#define        borderchar(c) (alphachar(c) || digitchar(c))
+#define        middlechar(c) (borderchar(c) || hyphenchar(c))
+
+static int
+res_hnok(const char *dn)
+{
+       int pch = PERIOD, ch = *dn++;
+
+       while (ch != '\0') {
+               int nch = *dn++;
+
+               if (periodchar(ch)) {
+                       ;
+               } else if (periodchar(pch)) {
+                       if (!borderchar(ch))
+                               return (0);
+               } else if (periodchar(nch) || nch == '\0') {
+                       if (!borderchar(ch))
+                               return (0);
+               } else {
+                       if (!middlechar(ch))
+                               return (0);
+               }
+               pch = ch, ch = nch;
+       }
+       return (1);
+}
+
  /* Decode domain name label encoding in RFC 1035 Section 3.1 */
  static size_t
  dname_labeldec(char *dst, size_t dlen, const char *src)
@@ -804,12 +839,11 @@
         }
         *dst = '\0';

-       /*
-        * XXX validate that domain name only contains valid characters
-        * for two reasons: 1) correctness, 2) we do not want to pass
-        * possible malicious, unescaped characters like `` to a script
-        * or program that could be exploited that way.
-        */
+       if (!res_hnok(dst_origin)) {
+               warnmsg(LOG_INFO, __func__,
+                   "invalid domain name '%s' was ignored", dst_origin);
+               return (0);
+       }

         return (src - src_origin);
  }


     ---Mike