git: f16fc39527ee - releng/14.4 - ngctl: Fix buffer overflow in config command

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Colin Percival <cperciva_at_FreeBSD.org>
Date: Wed, 18 Feb 2026 01:53:08 UTC
The branch releng/14.4 has been updated by cperciva:

URL: https://cgit.FreeBSD.org/src/commit/?id=f16fc39527ee758aca81085c11e2b677895ee4e5

commit f16fc39527ee758aca81085c11e2b677895ee4e5
Author:     Dag-Erling Smørgrav <des@FreeBSD.org>
AuthorDate: 2026-02-13 15:57:50 +0000
Commit:     Colin Percival <cperciva@FreeBSD.org>
CommitDate: 2026-02-18 01:48:33 +0000

    ngctl: Fix buffer overflow in config command
    
    Keep track of our buffer length when assembling the argument list.
    
    PR:             293075
    MFC after:      1 week
    Reviewed by:    zlei, markj
    Differential Revision:  https://reviews.freebsd.org/D55259
    
    (cherry picked from commit 59906a163e474c8d00bdebe226c4d47332b91bad)
    (cherry picked from commit e5bf728058da2b9cdc056e49bd82b57310588b3e)
---
 usr.sbin/ngctl/config.c | 22 ++++++++++++++--------
 1 file changed, 14 insertions(+), 8 deletions(-)

diff --git a/usr.sbin/ngctl/config.c b/usr.sbin/ngctl/config.c
index 261bc950f570..611975ef5b10 100644
--- a/usr.sbin/ngctl/config.c
+++ b/usr.sbin/ngctl/config.c
@@ -62,7 +62,7 @@ ConfigCmd(int ac, char **av)
 	struct ng_mesg *const resp = (struct ng_mesg *) sbuf;
 	char *const status = (char *) resp->data;
 	char *path;
-	char buf[NG_TEXTRESPONSE];
+	char buf[NG_TEXTRESPONSE], *pos, *end;
 	int nostat = 0, i;
 
 	/* Get arguments */
@@ -70,20 +70,26 @@ ConfigCmd(int ac, char **av)
 		return (CMDRTN_USAGE);
 	path = av[1];
 
-	*buf = '\0';
+	pos = buf;
+	end = buf + sizeof(buf);
 	for (i = 2; i < ac; i++) {
-		if (i != 2)
-			strcat(buf, " ");
-		strcat(buf, av[i]);
+		if (i > 2) {
+			if (pos == end)
+				return (CMDRTN_USAGE);
+			*pos++ = ' ';
+		}
+		if ((pos += strlcpy(pos, av[i], end - pos)) >= end)
+			return (CMDRTN_USAGE);
 	}
-	
+	*pos = '\0';
+
 	/* Get node config summary */
 	if (*buf != '\0')
 		i = NgSendMsg(csock, path, NGM_GENERIC_COOKIE,
-	            NGM_TEXT_CONFIG, buf, strlen(buf) + 1);
+		    NGM_TEXT_CONFIG, buf, pos - buf + 1);
 	else
 		i = NgSendMsg(csock, path, NGM_GENERIC_COOKIE,
-	            NGM_TEXT_CONFIG, NULL, 0);
+		    NGM_TEXT_CONFIG, NULL, 0);
 	if (i < 0) {
 		switch (errno) {
 		case EINVAL: