From nobody Fri Feb 13 16:01:44 2026 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4fCH3Y2lXvz6S3gn for ; Fri, 13 Feb 2026 16:01:45 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4fCH3Y0Tvhz3jV6 for ; Fri, 13 Feb 2026 16:01:45 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1770998505; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=J1/9gimrONuCWgttqCPoiWWjS1PDY8ohg8iVe8SogpQ=; b=ao3F4eFKQfGK9l4c9RUwnwK6xoIK8fOFucrWK34dhY5dqT77FpnK8yqkX0ojwCaEQRIj67 IBfRQqnfm/FMmvETRYKha0V7YO96K9dEr8mV3vg+xo9h6NN9mvZQ11jnXA4o+qyKav/EhR KOnK2WxwLGLD8XMU6n5EEzNx5vu5V631IswEwcuKXEacTnfL+glptVh8aq8iUD7qFkP2DF TaXCTq0Gmdj0a2tTDiL3Gx1dHei0Uu4Zzf6T3JzeQPqR5kl18iQEHzh+v1Vs4QiY1/oG1Z deDzGocTiMZV1B27+04UJndYnYIosHlv1wkcePuBJ1O7OPYu4s+/AAml+EuOJA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1770998505; a=rsa-sha256; cv=none; b=YAYUXRHE0hyj8KsaI5Vztr780t6OJqf67gpf8L+I3yIz6yS+IdafmZE8t403EkyOs6bfKi 39Doeor1LY5438bYYKKSYHxX/YST6PeutnoQLKHgsh61o7qT2MsQz7QoK1RhBwxAkCPPE8 R41+LWS06WlezyZuXCqHwstzO6Adww/0Pk2KcgT3GR2A3y2KrKiB+S//ZEKkK4R6kLwig8 sIUlTpgo86IqStoO/wBsd1slJu8xyGbug9R8XGa/kTS/jBroqolhcnArbmuVgVBjA0LSTe FAzcrmffuN5icCDq20ln8EiPYnR2LbJ8T3XaB4AMMVMqGNCQ2ch7vhX4QARI9g== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1770998505; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=J1/9gimrONuCWgttqCPoiWWjS1PDY8ohg8iVe8SogpQ=; b=g8o1/ig3e8krwYHSYTkNePWnOlI/yM9zhnRibDG0VBjBx8Zf4OqftLUPl1KFf2BgTWPGHe tJToM+SLpoqDDf8IgEYD4OFDbKpnI5X6CV8emcrQugu2JEzo8AVz847C079y9Gq7m402bE O4cki/E0fVRL8uOMmsV8YBda46znm/uYvNHAjXRJpOAthc9bCEKs9EjwIOryEoaNARXei5 e12e3pt1Nfku+YT924xhSn686+fbQWSeft/fk6W4foufhMFVL+S86naSe0NohiFpd8Yk/D vchNQziLcxySsfnpoQFI9S05wdvek/QmJjWogj7PppFM9p1NXLfHQT8VHkdTBA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4fCH3Y04rdzCX2 for ; Fri, 13 Feb 2026 16:01:45 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 22608 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Fri, 13 Feb 2026 16:01:44 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Dag-Erling=?utf-8?Q? Sm=C3=B8rg?=rav Subject: git: 59906a163e47 - main - ngctl: Fix buffer overflow in config command List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: des X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 59906a163e474c8d00bdebe226c4d47332b91bad Auto-Submitted: auto-generated Date: Fri, 13 Feb 2026 16:01:44 +0000 Message-Id: <698f4ae8.22608.7a14ac4@gitrepo.freebsd.org> The branch main has been updated by des: URL: https://cgit.FreeBSD.org/src/commit/?id=59906a163e474c8d00bdebe226c4d47332b91bad commit 59906a163e474c8d00bdebe226c4d47332b91bad Author: Dag-Erling Smørgrav AuthorDate: 2026-02-13 15:57:50 +0000 Commit: Dag-Erling Smørgrav CommitDate: 2026-02-13 15:57:58 +0000 ngctl: Fix buffer overflow in config command Keep track of our buffer length when assembling the argument list. PR: 293075 MFC after: 1 week Reviewed by: zlei, markj Differential Revision: https://reviews.freebsd.org/D55259 --- usr.sbin/ngctl/config.c | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/usr.sbin/ngctl/config.c b/usr.sbin/ngctl/config.c index 25cd841494d1..0c9096738efa 100644 --- a/usr.sbin/ngctl/config.c +++ b/usr.sbin/ngctl/config.c @@ -62,7 +62,7 @@ ConfigCmd(int ac, char **av) struct ng_mesg *const resp = (struct ng_mesg *) sbuf; char *const status = (char *) resp->data; char *path; - char buf[NG_TEXTRESPONSE]; + char buf[NG_TEXTRESPONSE], *pos, *end; int nostat = 0, i; /* Get arguments */ @@ -70,20 +70,26 @@ ConfigCmd(int ac, char **av) return (CMDRTN_USAGE); path = av[1]; - *buf = '\0'; + pos = buf; + end = buf + sizeof(buf); for (i = 2; i < ac; i++) { - if (i != 2) - strcat(buf, " "); - strcat(buf, av[i]); + if (i > 2) { + if (pos == end) + return (CMDRTN_USAGE); + *pos++ = ' '; + } + if ((pos += strlcpy(pos, av[i], end - pos)) >= end) + return (CMDRTN_USAGE); } - + *pos = '\0'; + /* Get node config summary */ if (*buf != '\0') i = NgSendMsg(csock, path, NGM_GENERIC_COOKIE, - NGM_TEXT_CONFIG, buf, strlen(buf) + 1); + NGM_TEXT_CONFIG, buf, pos - buf + 1); else i = NgSendMsg(csock, path, NGM_GENERIC_COOKIE, - NGM_TEXT_CONFIG, NULL, 0); + NGM_TEXT_CONFIG, NULL, 0); if (i < 0) { switch (errno) { case EINVAL: