From owner-svn-src-head@freebsd.org  Wed Apr  1 09:51:37 2020
Return-Path: <owner-svn-src-head@freebsd.org>
Delivered-To: svn-src-head@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id BDD332B69D6;
 Wed,  1 Apr 2020 09:51:37 +0000 (UTC)
 (envelope-from andrew@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 48shL05KHzz41Dk;
 Wed,  1 Apr 2020 09:51:36 +0000 (UTC)
 (envelope-from andrew@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 5FDF023096;
 Wed,  1 Apr 2020 09:51:30 +0000 (UTC)
 (envelope-from andrew@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 0319pTww075539;
 Wed, 1 Apr 2020 09:51:29 GMT (envelope-from andrew@FreeBSD.org)
Received: (from andrew@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id 0319pT5J075538;
 Wed, 1 Apr 2020 09:51:29 GMT (envelope-from andrew@FreeBSD.org)
Message-Id: <202004010951.0319pT5J075538@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: andrew set sender to
 andrew@FreeBSD.org using -f
From: Andrew Turner <andrew@FreeBSD.org>
Date: Wed, 1 Apr 2020 09:51:29 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Subject: svn commit: r359505 - head/usr.sbin/jail
X-SVN-Group: head
X-SVN-Commit-Author: andrew
X-SVN-Commit-Paths: head/usr.sbin/jail
X-SVN-Commit-Revision: 359505
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
 <svn-src-head.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head/>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Apr 2020 09:51:37 -0000

Author: andrew
Date: Wed Apr  1 09:51:29 2020
New Revision: 359505
URL: https://svnweb.freebsd.org/changeset/base/359505

Log:
  Use memmove to copy within a buffer
  
  jail(8) would try to use strcpy to remove the interface from the start of
  an IP address. This is undefined, and on arm64 will result in unexpected
  IPv6 addresses.
  
  Fix this by using memmove top move the string.
  
  PR:		245102
  Reported by:	sbruno
  MFC after:	2 weeks
  Sponsored by:	Innovate UK

Modified:
  head/usr.sbin/jail/config.c

Modified: head/usr.sbin/jail/config.c
==============================================================================
--- head/usr.sbin/jail/config.c	Wed Apr  1 09:01:35 2020	(r359504)
+++ head/usr.sbin/jail/config.c	Wed Apr  1 09:51:29 2020	(r359505)
@@ -596,8 +596,8 @@ check_intparams(struct cfjail *j)
 			if (cs || defif)
 				add_param(j, NULL, IP__IP4_IFADDR, s->s);
 			if (cs) {
-				strcpy(s->s, cs + 1);
 				s->len -= cs + 1 - s->s;
+				memmove(s->s, cs + 1, s->len + 1);
 			}
 			if ((cs = strchr(s->s, '/')) != NULL) {
 				*cs = '\0';
@@ -617,8 +617,8 @@ check_intparams(struct cfjail *j)
 			if (cs || defif)
 				add_param(j, NULL, IP__IP6_IFADDR, s->s);
 			if (cs) {
-				strcpy(s->s, cs + 1);
 				s->len -= cs + 1 - s->s;
+				memmove(s->s, cs + 1, s->len + 1);
 			}
 			if ((cs = strchr(s->s, '/')) != NULL) {
 				*cs = '\0';