Date: Tue, 21 May 2019 07:04:54 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 238013] Buffer overrun in function dname_labeldec in usr.sbin/rtadvctl/rtadvctl.c Message-ID: <bug-238013-227@https.bugs.freebsd.org/bugzilla/>
index | next in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=238013 Bug ID: 238013 Summary: Buffer overrun in function dname_labeldec in usr.sbin/rtadvctl/rtadvctl.c Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: yangx92@hotmail.com Created attachment 204501 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=204501&action=edit Proposed patch There is a buffer overrun vulnerability in function dname_labeldec in usr.sbin/rtadvctl/rtadvctl.c, which is same as vulnerability that was fixed in https://github.com/freebsd/freebsd/commit/a9647f4732da9b517eec6d174a7c1f2441443729. static size_t dname_labeldec(char *dst, size_t dlen, const char *src) { size_t len; const char *src_origin; const char *src_last; const char *dst_origin; src_origin = src; src_last = strchr(src, '\0'); dst_origin = dst; memset(dst, '\0', dlen); while (src && (len = (uint8_t)(*src++) & 0x3f) && (src + len) <= src_last) { if (dst != dst_origin) *dst++ = '.'; mysyslog(LOG_DEBUG, "<%s> labellen = %zd", __func__, len); memcpy(dst, src, len); src += len; dst += len; } *dst = '\0'; return (src - src_origin); } In the condition of while, we should limit the range of variable dst. The attachment is the proposed patch. -- You are receiving this mail because: You are the assignee for the bug.home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-238013-227>