git: 6316ab68d331 - releng/14.4 - ngctl: Check hook name length

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Colin Percival <cperciva_at_FreeBSD.org>
Date: Wed, 18 Feb 2026 01:53:07 UTC
The branch releng/14.4 has been updated by cperciva:

URL: https://cgit.FreeBSD.org/src/commit/?id=6316ab68d331098749ad1eac63a183a4c9ccda3c

commit 6316ab68d331098749ad1eac63a183a4c9ccda3c
Author:     Dag-Erling Smørgrav <des@FreeBSD.org>
AuthorDate: 2026-02-13 15:57:46 +0000
Commit:     Colin Percival <cperciva@FreeBSD.org>
CommitDate: 2026-02-18 01:48:33 +0000

    ngctl: Check hook name length
    
    Check the length of the hook name when copying it into the sockaddr.
    
    MFC after:      1 week
    Reviewed by:    markj
    Differential Revision:  https://reviews.freebsd.org/D55258
    
    (cherry picked from commit 585190dff436eeea3be97300e36c82559028d3dd)
    (cherry picked from commit 71c0f48ab19fbac3d93e29d8964db2f215ddf722)
---
 usr.sbin/ngctl/write.c | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/usr.sbin/ngctl/write.c b/usr.sbin/ngctl/write.c
index 1e86963fb39c..7ee8dcfaa241 100644
--- a/usr.sbin/ngctl/write.c
+++ b/usr.sbin/ngctl/write.c
@@ -35,10 +35,12 @@
 #include <sys/socket.h>
 
 #include <err.h>
+#include <stddef.h>
 #include <stdio.h>
 #include <string.h>
 #include <unistd.h>
 
+#include <netgraph/ng_message.h>
 #include <netgraph/ng_socket.h>
 
 #include "ngctl.h"
@@ -63,6 +65,7 @@ WriteCmd(int ac, char **av)
 	struct sockaddr_ng *sag = (struct sockaddr_ng *)sagbuf;
 	u_char buf[BUF_SIZE];
 	const char *hook;
+	size_t hooklen;
 	FILE *fp;
 	u_int len;
 	int byte;
@@ -72,6 +75,14 @@ WriteCmd(int ac, char **av)
 	if (ac < 3)
 		return (CMDRTN_USAGE);
 	hook = av[1];
+	_Static_assert(sizeof(sagbuf) >=
+	    offsetof(struct sockaddr_ng, sg_data) + NG_HOOKSIZ,
+	    "sagbuf is too small for NG_HOOKSIZ");
+	hooklen = strlcpy(sag->sg_data, hook, NG_HOOKSIZ);
+	if (hooklen >= NG_HOOKSIZ) {
+		warnx("hook name \"%s\" too long", hook);
+		return (CMDRTN_ERROR);
+	}
 
 	/* Get data */
 	if (strcmp(av[2], "-f") == 0) {
@@ -104,11 +115,10 @@ WriteCmd(int ac, char **av)
 	}
 
 	/* Send data */
-	sag->sg_len = 3 + strlen(hook);
+	sag->sg_len = 3 + hooklen;
 	sag->sg_family = AF_NETGRAPH;
-	strlcpy(sag->sg_data, hook, sizeof(sagbuf) - 2);
-	if (sendto(dsock, buf, len,
-	    0, (struct sockaddr *)sag, sag->sg_len) == -1) {
+	if (sendto(dsock, buf, len, 0, (struct sockaddr *)sag,
+	    sag->sg_len) < 0) {
 		warn("writing to hook \"%s\"", hook);
 		return (CMDRTN_ERROR);
 	}