From nobody Wed Feb 18 00:09:00 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4fFxgx0CYmz6SKjK for ; Wed, 18 Feb 2026 00:09:01 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4fFxgw3RwCz3D1x for ; Wed, 18 Feb 2026 00:09:00 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1771373340; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=hVcA9u/Ql6E8k1tYoLmLocDXMaPlgLGyC3dIHl3jip8=; b=sRly78WTTqSUceg0Fe9PZwfTW1fa5HfZ0u0BABeNjBDMn7ROv99VjKOOI7iJm1uC8Mi0aT Xcisj9RqWZTDmsPiUu+V0LcgYvu26Kwt4MeTPfSMsDMobBOJOyO/VEjH8vg08Wq+nZo5EA CR9WJBg+zbLKSrtseGmJjMLNprXyxERTRSmXYdPzNCr3dOIBB665UUlQFwRjjv2qKzQW/O 8RqRP+qYMUbgcbZUZuH6e/lehR/Pvl1yMCT9dfG3t3fCJ+9WPsnA9B1KVrBINnQP+RaiHL 68/vXbAW5JZ+KU1bXNXIiM4RLnVSs9bMJ9V1dY9U9mWh3lFhu+QJHWmUYTvfrw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1771373340; a=rsa-sha256; cv=none; b=wm30JXNn68KxD8GLv3dIhcpNwCuwxUrKpFatsDxz6AfDC2KllHvVI+9o6EDD6BxIHyyjIu hYYWYf18Lio/K7TnW5gAVRnmesAMwVO7Rgwh/LMmfiRY8+E5vxvDd3nVky6qrTPh1RmnpF NDFqCYAzss7cBJJOZwSmD6JYBrQI7/uYoYX838CEqQthIVo/dWYsWZyBPvRaJSmTryOdEl 86BXIeMtpL9z2trp+NRe9SigFTuvgC+0s9QoJZN9JFQURlezl7L04MmYz7RKJxqe5VIfZ3 +yZ9vhFVj/d+Mll4eDW48mDl/Clp0Cg0pmi0au89fI4fMz6RV07PHn0bzp1q2w== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1771373340; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=hVcA9u/Ql6E8k1tYoLmLocDXMaPlgLGyC3dIHl3jip8=; b=WgC+1zns9F9RxFFcgwO+1Kdk7GxTr1e93DTEh+5N1xyqOMkmEeL9arTNux7hqkJCnvVS2r yZ34EuP1y5SQr5Vm9yvlx9DixNQU4WE2f0NvvkV8wBXDBvAc54EUA39PpbGSirs3Q0x1vf W/vq9rGTmTeBRfi1+BdVabKzyAHQ4kmkAGMFoJvk0c3aqxdVYf/vANR//3P02f4P/cuPGn bz50yN8SqkVbo/nD4MxhNhsuXoeNAPTLN0j3gvXhHzaZ9ylL/Z4WWt3iiiYE8Bqz0Edxrm vO8P87i5EA53M++J9uxOs+WcUh2O57nf5r1YawKcuNMBi9rvA4IiBxaWK8v9aA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4fFxgw33jbzYND for ; Wed, 18 Feb 2026 00:09:00 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3c820 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Wed, 18 Feb 2026 00:09:00 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Dag-Erling=?utf-8?Q? Sm=C3=B8rg?=rav Subject: git: e5bf728058da - stable/14 - ngctl: Fix buffer overflow in config command List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: des X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: e5bf728058da2b9cdc056e49bd82b57310588b3e Auto-Submitted: auto-generated Date: Wed, 18 Feb 2026 00:09:00 +0000 Message-Id: <6995031c.3c820.325e0566@gitrepo.freebsd.org> The branch stable/14 has been updated by des: URL: https://cgit.FreeBSD.org/src/commit/?id=e5bf728058da2b9cdc056e49bd82b57310588b3e commit e5bf728058da2b9cdc056e49bd82b57310588b3e Author: Dag-Erling Smørgrav AuthorDate: 2026-02-13 15:57:50 +0000 Commit: Dag-Erling Smørgrav CommitDate: 2026-02-17 23:12:02 +0000 ngctl: Fix buffer overflow in config command Keep track of our buffer length when assembling the argument list. PR: 293075 MFC after: 1 week Reviewed by: zlei, markj Differential Revision: https://reviews.freebsd.org/D55259 (cherry picked from commit 59906a163e474c8d00bdebe226c4d47332b91bad) --- usr.sbin/ngctl/config.c | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/usr.sbin/ngctl/config.c b/usr.sbin/ngctl/config.c index 261bc950f570..611975ef5b10 100644 --- a/usr.sbin/ngctl/config.c +++ b/usr.sbin/ngctl/config.c @@ -62,7 +62,7 @@ ConfigCmd(int ac, char **av) struct ng_mesg *const resp = (struct ng_mesg *) sbuf; char *const status = (char *) resp->data; char *path; - char buf[NG_TEXTRESPONSE]; + char buf[NG_TEXTRESPONSE], *pos, *end; int nostat = 0, i; /* Get arguments */ @@ -70,20 +70,26 @@ ConfigCmd(int ac, char **av) return (CMDRTN_USAGE); path = av[1]; - *buf = '\0'; + pos = buf; + end = buf + sizeof(buf); for (i = 2; i < ac; i++) { - if (i != 2) - strcat(buf, " "); - strcat(buf, av[i]); + if (i > 2) { + if (pos == end) + return (CMDRTN_USAGE); + *pos++ = ' '; + } + if ((pos += strlcpy(pos, av[i], end - pos)) >= end) + return (CMDRTN_USAGE); } - + *pos = '\0'; + /* Get node config summary */ if (*buf != '\0') i = NgSendMsg(csock, path, NGM_GENERIC_COOKIE, - NGM_TEXT_CONFIG, buf, strlen(buf) + 1); + NGM_TEXT_CONFIG, buf, pos - buf + 1); else i = NgSendMsg(csock, path, NGM_GENERIC_COOKIE, - NGM_TEXT_CONFIG, NULL, 0); + NGM_TEXT_CONFIG, NULL, 0); if (i < 0) { switch (errno) { case EINVAL: