From nobody Tue Feb 17 23:58:00 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4fFxRF2YYbz6SK6v for ; Tue, 17 Feb 2026 23:58:01 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4fFxRF0Gsqz4Q15 for ; Tue, 17 Feb 2026 23:58:01 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1771372681; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=JTE4Yowto/YXMREu0eqiWiBYT9zI6ymIN2hQo2USuvw=; b=DZXsLZYn/zKhflO4aOmPACvJGahvOX5kp9ZwolQRVj9sZEWW/jRfFuKqzXz89vf5ouZ/68 Oc8hUbGRQXIxvhnxz+lOO5W+adLvPIHfD7FqDi2mtMa/imDCByFTN949E5/Vt6sXUBxxKL jWN9VP/PejTkn9su6pnLAgkFZT+u+iUXxMVsjkl3qI+u2r9HvhDSY74xqeeJQCL+UpFPxQ 1RL5rY/e+xk6k+E0ZoQqRV4o03icfq2LrHjb28ziba5mXs9+eUkSlyEjsye7J7b7uaxm/5 hUrLORN2eZmrEgIzxWGVcQzTMqwHaTKr+1wPwwESTsmEdppIsk7K2bn8g+gkhg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1771372681; a=rsa-sha256; cv=none; b=Jw4Lz7VBHBEeY/jSLl8WlK6NMAi+FNr9gzwOhuMOreaS49Z/k1UdRDFIUD6i1I2DsVQyPE kWjhGX8UhC17FVarROBaRPbGWCN2FR/kgCe1nFtTMpmPdqftDA8R8FUnYqgAltX4FSaLM3 M6WaQQjjpdyfmYSipedtEn6mTE2T1RI1Idz10xvOcTgbyo0akwoqf6mxk0iuavSXoO1Gfr vGF13kINqK42ijepHafiViN8RAddk1HRS4IQ42mSRJZ7dPUDvNUJGuwsuo5E1nGgzxQf5R Vq0pzBLvdyUUZm98eugjHrObrh0DuTcU+OY/cgQU4a94GHXI62apiInTmlTu8A== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1771372681; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=JTE4Yowto/YXMREu0eqiWiBYT9zI6ymIN2hQo2USuvw=; b=JVN7F0D0+zqBDtXEjitFgiIFUUWDxqrFfLLZmuAqF0WkFpnzDtTDRwd0nP1gM/RpEuiWCA qrJ8FxSFAdlu8Rwh0F+6FjGeL5M3jVFqtM3TXXOK/OJ8ibiQZQT6Yla4K+nZh1RVAga0od U7WsKBKImD+oGlimHsce0OW8NPAZDT1kRp3AfxXLo8euVl8R+spdfAtxbsS1gj8Uc57cAe 3UrkdR+a4fASnn0ZuiXp3B+4hASQ5XgEoXRRiCYP9SEuBYAbg7rRQMzmQysmAX3rZqrCqn 3GR8ZFbPf1M0xaQlpJ3vY27kwlEwwsnAB5VctOdr2C8/D7S7O7m1LuBhBfp3bw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4fFxRD3lq4zXW0 for ; Tue, 17 Feb 2026 23:58:00 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3bda8 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 17 Feb 2026 23:58:00 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Dag-Erling=?utf-8?Q? Sm=C3=B8rg?=rav Subject: git: 669347f67a07 - stable/15 - ngctl: Fix buffer overflow in config command List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: des X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: 669347f67a07db17a8b1a748cbc05e859d8095cd Auto-Submitted: auto-generated Date: Tue, 17 Feb 2026 23:58:00 +0000 Message-Id: <69950088.3bda8.34db282f@gitrepo.freebsd.org> The branch stable/15 has been updated by des: URL: https://cgit.FreeBSD.org/src/commit/?id=669347f67a07db17a8b1a748cbc05e859d8095cd commit 669347f67a07db17a8b1a748cbc05e859d8095cd Author: Dag-Erling Smørgrav AuthorDate: 2026-02-13 15:57:50 +0000 Commit: Dag-Erling Smørgrav CommitDate: 2026-02-17 23:11:48 +0000 ngctl: Fix buffer overflow in config command Keep track of our buffer length when assembling the argument list. PR: 293075 MFC after: 1 week Reviewed by: zlei, markj Differential Revision: https://reviews.freebsd.org/D55259 (cherry picked from commit 59906a163e474c8d00bdebe226c4d47332b91bad) --- usr.sbin/ngctl/config.c | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/usr.sbin/ngctl/config.c b/usr.sbin/ngctl/config.c index 25cd841494d1..0c9096738efa 100644 --- a/usr.sbin/ngctl/config.c +++ b/usr.sbin/ngctl/config.c @@ -62,7 +62,7 @@ ConfigCmd(int ac, char **av) struct ng_mesg *const resp = (struct ng_mesg *) sbuf; char *const status = (char *) resp->data; char *path; - char buf[NG_TEXTRESPONSE]; + char buf[NG_TEXTRESPONSE], *pos, *end; int nostat = 0, i; /* Get arguments */ @@ -70,20 +70,26 @@ ConfigCmd(int ac, char **av) return (CMDRTN_USAGE); path = av[1]; - *buf = '\0'; + pos = buf; + end = buf + sizeof(buf); for (i = 2; i < ac; i++) { - if (i != 2) - strcat(buf, " "); - strcat(buf, av[i]); + if (i > 2) { + if (pos == end) + return (CMDRTN_USAGE); + *pos++ = ' '; + } + if ((pos += strlcpy(pos, av[i], end - pos)) >= end) + return (CMDRTN_USAGE); } - + *pos = '\0'; + /* Get node config summary */ if (*buf != '\0') i = NgSendMsg(csock, path, NGM_GENERIC_COOKIE, - NGM_TEXT_CONFIG, buf, strlen(buf) + 1); + NGM_TEXT_CONFIG, buf, pos - buf + 1); else i = NgSendMsg(csock, path, NGM_GENERIC_COOKIE, - NGM_TEXT_CONFIG, NULL, 0); + NGM_TEXT_CONFIG, NULL, 0); if (i < 0) { switch (errno) { case EINVAL: