From nobody Fri May 03 08:29:30 2024 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VW3rB1rRQz5JZm1; Fri, 3 May 2024 08:29:30 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4VW3rB1Gbwz4N5S; Fri, 3 May 2024 08:29:30 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1714724970; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=6AyephrUQR7yY6Aj58J7rllWlKIJeeoBk2mUBAab+4M=; b=AKuMPU7iotgPFqM4wUt6WXgFegeAROdLMA2byTTCLGIzi9Zcr/GcTZyjq16T9ogspPPdt6 CodBEVICM81TQ3ZU+2KQlbswc0AGFRe7H2Gci6zB3HzMcy0LzfqhcbvlaDY4UhIKucpSft zidv8aQCaSmLxzOYsDXGBWfT47ipeh0rOLXTZs/aAaJmwDfLGpCv2uAgPy2GcJA05GE7Qh opBrDVwDYAgnar9ot9aO364+3vrWn3Wg6mVt0CrBW+THu8rMsra34vyLOALRtEQD42qv41 +OJJkFBHqmTrOFRoHiNU+T2Cdtg+/4CKRaMw8K8Ep/urcyMMqRdXi1lRFxOErw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1714724970; a=rsa-sha256; cv=none; b=spZaigrefPSzg7N07K5RA9WZCBE09RkOqIKR86a/11Z9+DENrgaXIorfMDq6muAA7Oc922 zoDR6zIEuNdcgV9hlJx+sHyuoHk6O9jFBdwig0Pb4sGIob5GelpDPMM8UKTeLuPl0P4xCN EzdzMaWOtFeeRGzb8QC7c2hadtsrHrQ78MMhsNj89K1gasHA31C0vMgcl7VN7afdronmMj 4s+O8fC+V36PRVD4+JoCLaYSZ+mwA2klWpLj9JmAg2agtBBrRzmrEcywEa+G6uW+PeJGvc O7+sAOirqDZpwPBGVmyYEBf8eDSEH02JSHnvDiOIOTqWXaY3MF2VbgQ/qZY2Dw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1714724970; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=6AyephrUQR7yY6Aj58J7rllWlKIJeeoBk2mUBAab+4M=; b=k1siI7A2dQ/wccQ1t65uFrh3PS+JWZWfKIDDqXLORXeEQ5sCFmp27BnDPqq+x0KfY+Ef9w l1smerbap+KaU04Aszzc6O2qzfQh8wCKxOUnuZM5wougvJ2qHHHIXLdtyP/KHyH9PkWY0j TQmHaQsnVWqVW/BBBks4W/Tx56GgB1HDmXqocn0vBjVLHCkspsUaCHk8IAmygDT6O2htW+ PwsHVDyJyLWz2Qp0smE8I1Pzj8POTph7cz8n9txRYkg8bVhPKQnNgOvozv72fM3zugZmFJ 8MKLgSCzY896jm19WbQyM/XqPbalS+bcu58Um7r7Uzs/j/RXGjztn2zCazvY/g== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4VW3rB0qmbzdgv; Fri, 3 May 2024 08:29:30 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 4438TUfr009952; Fri, 3 May 2024 08:29:30 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 4438TUWK009949; Fri, 3 May 2024 08:29:30 GMT (envelope-from git) Date: Fri, 3 May 2024 08:29:30 GMT Message-Id: <202405030829.4438TUWK009949@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Xin LI Subject: git: 95032b58a1ad - main - Tighten boundary check in split(1) to prevent a potential buffer overflow. List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: delphij X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 95032b58a1ad0fde57518f17805ca721bb4563ad Auto-Submitted: auto-generated The branch main has been updated by delphij: URL: https://cgit.FreeBSD.org/src/commit/?id=95032b58a1ad0fde57518f17805ca721bb4563ad commit 95032b58a1ad0fde57518f17805ca721bb4563ad Author: Shawn Bayern AuthorDate: 2024-05-03 07:46:18 +0000 Commit: Xin LI CommitDate: 2024-05-03 08:29:20 +0000 Tighten boundary check in split(1) to prevent a potential buffer overflow. Before increasing sufflen, make sure the current name plus two (including the terminating NUL character and the to-be-added character) does not exceed the fixed buffer length, and stop immediately if this would occur. In worst case scenario the code would write an nul character beyond the boundary, however it would be caught by open(2) and based on the memory layout, we do not believe this would constitute a security vulnerability. MFC after: 3 days --- usr.bin/split/split.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/usr.bin/split/split.c b/usr.bin/split/split.c index 0241637c93ad..2724f8a20cde 100644 --- a/usr.bin/split/split.c +++ b/usr.bin/split/split.c @@ -390,6 +390,10 @@ newfile(void) */ if (!dflag && autosfx && (fpnt[0] == 'y') && strspn(fpnt+1, "z") == strlen(fpnt+1)) { + /* Ensure the generated filenames will fit into the buffer. */ + if (strlen(fname) + 2 >= sizeof(fname)) + errx(EX_USAGE, "combined filenames would be too long"); + fpnt = fname + strlen(fname) - sufflen; fpnt[sufflen + 2] = '\0'; fpnt[0] = end;