From nobody Wed Feb 18 01:53:08 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4fG0044MzVz6SSlk for ; Wed, 18 Feb 2026 01:53:08 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4fG0041wzMz3Qcy for ; Wed, 18 Feb 2026 01:53:08 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1771379588; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=bAQsCEUzHQraWeEGid0cEwwX3ZnHIz7biSt6jhitvTE=; b=o+dgDuz3bMtPpwVKidPmf7xad1D2H5LOElDI+q00dxZAW1CXSaHQRf3IoBIbnpJ4LhUJtb 7qm37AJ/CWC6bfwSYfcms3z6+fdzj1feJbNCAuRqFS+2duweJ7eUnbUc3Ju+QC7eDoB8WR seAY0Wp+KQ7QY17ZxGE1lfdze5i3nF+qwu9nET06PDzLQuEOJR4mK6m6E5snPGQfWeen+X c4voKHl1aTTJQCA3t7FvMUQKw3YpV4ZayLMp/VptirWx4+g2ay+BV2hA8qOqyIwU+/QKsE sQVdLJMlh1rWoIDzRq7xxdcSnBbt3eUp7VbomCbjGsmZuwJZoAZbaZJ+I7illw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1771379588; a=rsa-sha256; cv=none; b=JcZ6VSYbMFqdSmdB3naDaXMDpHjBgXPy/DDBKikgs8l+rfzXBDixZdCc80ANOmfcEDlMCK OTutsjWXFPPHKn6QqRMvTmD6htt1zWH7wdVX2xHte53DGTeHKoLpjFi/ykwFsduje7+Siz +9vyn5/QicDI+Ak9CVP96PZ2lf4Ld/UdqbvDmjjQ1cnXGOBvvMocbD/dToBlFno4ewQ5vv AR2dVmv1UXDOWZjV4mBjPBNYikfO5hwkwP8Ph4feRI/N5Y+Ck9UwEtgQHUo5le5YovCPKe OxebnL4NUVuozIN9pEvKGQJtXCb6OorjaWqmagfKbphe8coqrzE+ec6pXmFx2w== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1771379588; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=bAQsCEUzHQraWeEGid0cEwwX3ZnHIz7biSt6jhitvTE=; b=H7xTbwd+/srsyxFnkm0vUronhN42hnk5UwjvQ6O2CL5UZzSs88iNaDqMBrxrMmM/bZ2RAu YFAnuhGhbeWWVrUW6mFsQ98Z6kHM45LFviKKV8ItZp9VtuthkiSNsxMjPBla2sC93wJvbA ds+6G0RR/z44hMXFzKrxW8sN3NNnec6v2lr3QNORsoy7MSguw5aswJgzcbjkJY0FXP292m gT0nDQlZs38J/i3G3o9TVKa6J5jM2WdgUvlyZmbcgaYNGgR5jVbTliix2s2/H/LWdO9kzz 0giGquarOxu+/N1AhcNNwYB7TNjDyFzxXR8i38zjLMV/Qj12EY6nIB6sl97dhA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4fG0040vbFzcKJ for ; Wed, 18 Feb 2026 01:53:08 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 44fc7 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Wed, 18 Feb 2026 01:53:08 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: Dag-Erling=?utf-8?Q? Sm=C3=B8rg?=rav From: Colin Percival Subject: git: f16fc39527ee - releng/14.4 - ngctl: Fix buffer overflow in config command List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: cperciva X-Git-Repository: src X-Git-Refname: refs/heads/releng/14.4 X-Git-Reftype: branch X-Git-Commit: f16fc39527ee758aca81085c11e2b677895ee4e5 Auto-Submitted: auto-generated Date: Wed, 18 Feb 2026 01:53:08 +0000 Message-Id: <69951b84.44fc7.3477c742@gitrepo.freebsd.org> The branch releng/14.4 has been updated by cperciva: URL: https://cgit.FreeBSD.org/src/commit/?id=f16fc39527ee758aca81085c11e2b677895ee4e5 commit f16fc39527ee758aca81085c11e2b677895ee4e5 Author: Dag-Erling Smørgrav AuthorDate: 2026-02-13 15:57:50 +0000 Commit: Colin Percival CommitDate: 2026-02-18 01:48:33 +0000 ngctl: Fix buffer overflow in config command Keep track of our buffer length when assembling the argument list. PR: 293075 MFC after: 1 week Reviewed by: zlei, markj Differential Revision: https://reviews.freebsd.org/D55259 (cherry picked from commit 59906a163e474c8d00bdebe226c4d47332b91bad) (cherry picked from commit e5bf728058da2b9cdc056e49bd82b57310588b3e) --- usr.sbin/ngctl/config.c | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/usr.sbin/ngctl/config.c b/usr.sbin/ngctl/config.c index 261bc950f570..611975ef5b10 100644 --- a/usr.sbin/ngctl/config.c +++ b/usr.sbin/ngctl/config.c @@ -62,7 +62,7 @@ ConfigCmd(int ac, char **av) struct ng_mesg *const resp = (struct ng_mesg *) sbuf; char *const status = (char *) resp->data; char *path; - char buf[NG_TEXTRESPONSE]; + char buf[NG_TEXTRESPONSE], *pos, *end; int nostat = 0, i; /* Get arguments */ @@ -70,20 +70,26 @@ ConfigCmd(int ac, char **av) return (CMDRTN_USAGE); path = av[1]; - *buf = '\0'; + pos = buf; + end = buf + sizeof(buf); for (i = 2; i < ac; i++) { - if (i != 2) - strcat(buf, " "); - strcat(buf, av[i]); + if (i > 2) { + if (pos == end) + return (CMDRTN_USAGE); + *pos++ = ' '; + } + if ((pos += strlcpy(pos, av[i], end - pos)) >= end) + return (CMDRTN_USAGE); } - + *pos = '\0'; + /* Get node config summary */ if (*buf != '\0') i = NgSendMsg(csock, path, NGM_GENERIC_COOKIE, - NGM_TEXT_CONFIG, buf, strlen(buf) + 1); + NGM_TEXT_CONFIG, buf, pos - buf + 1); else i = NgSendMsg(csock, path, NGM_GENERIC_COOKIE, - NGM_TEXT_CONFIG, NULL, 0); + NGM_TEXT_CONFIG, NULL, 0); if (i < 0) { switch (errno) { case EINVAL: