Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 13 Feb 2026 16:01:44 +0000
From:      Dag-Erling=?utf-8?Q? Sm=C3=B8rg?=rav <des@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
Subject:   git: 59906a163e47 - main - ngctl: Fix buffer overflow in config command
Message-ID:  <698f4ae8.22608.7a14ac4@gitrepo.freebsd.org>
index | next in thread | raw e-mail 

The branch main has been updated by des:

URL: https://cgit.FreeBSD.org/src/commit/?id=59906a163e474c8d00bdebe226c4d47332b91bad

commit 59906a163e474c8d00bdebe226c4d47332b91bad
Author:     Dag-Erling Smørgrav <des@FreeBSD.org>
AuthorDate: 2026-02-13 15:57:50 +0000
Commit:     Dag-Erling Smørgrav <des@FreeBSD.org>
CommitDate: 2026-02-13 15:57:58 +0000

    ngctl: Fix buffer overflow in config command
    
    Keep track of our buffer length when assembling the argument list.
    
    PR:             293075
    MFC after:      1 week
    Reviewed by:    zlei, markj
    Differential Revision:  https://reviews.freebsd.org/D55259
---
 usr.sbin/ngctl/config.c | 22 ++++++++++++++--------
 1 file changed, 14 insertions(+), 8 deletions(-)

diff --git a/usr.sbin/ngctl/config.c b/usr.sbin/ngctl/config.c
index 25cd841494d1..0c9096738efa 100644
--- a/usr.sbin/ngctl/config.c
+++ b/usr.sbin/ngctl/config.c
@@ -62,7 +62,7 @@ ConfigCmd(int ac, char **av)
 	struct ng_mesg *const resp = (struct ng_mesg *) sbuf;
 	char *const status = (char *) resp->data;
 	char *path;
-	char buf[NG_TEXTRESPONSE];
+	char buf[NG_TEXTRESPONSE], *pos, *end;
 	int nostat = 0, i;
 
 	/* Get arguments */
@@ -70,20 +70,26 @@ ConfigCmd(int ac, char **av)
 		return (CMDRTN_USAGE);
 	path = av[1];
 
-	*buf = '\0';
+	pos = buf;
+	end = buf + sizeof(buf);
 	for (i = 2; i < ac; i++) {
-		if (i != 2)
-			strcat(buf, " ");
-		strcat(buf, av[i]);
+		if (i > 2) {
+			if (pos == end)
+				return (CMDRTN_USAGE);
+			*pos++ = ' ';
+		}
+		if ((pos += strlcpy(pos, av[i], end - pos)) >= end)
+			return (CMDRTN_USAGE);
 	}
-	
+	*pos = '\0';
+
 	/* Get node config summary */
 	if (*buf != '\0')
 		i = NgSendMsg(csock, path, NGM_GENERIC_COOKIE,
-	            NGM_TEXT_CONFIG, buf, strlen(buf) + 1);
+		    NGM_TEXT_CONFIG, buf, pos - buf + 1);
 	else
 		i = NgSendMsg(csock, path, NGM_GENERIC_COOKIE,
-	            NGM_TEXT_CONFIG, NULL, 0);
+		    NGM_TEXT_CONFIG, NULL, 0);
 	if (i < 0) {
 		switch (errno) {
 		case EINVAL:
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?698f4ae8.22608.7a14ac4>