git: bf804f69dd94 - main - rtsold: Validate entries in domain search lists

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Mark Johnston <markj_at_FreeBSD.org>
Date: Tue, 16 Dec 2025 23:39:18 UTC
The branch main has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=bf804f69dd94b3c98962618b4ad3b48a35bff2ff

commit bf804f69dd94b3c98962618b4ad3b48a35bff2ff
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2025-12-15 20:50:08 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2025-12-16 23:38:48 +0000

    rtsold: Validate entries in domain search lists
    
    Reported by:    Kevin Day <kevin@your.org>
    Approved by:    so
    Security:       FreeBSD-SA-25:12.rtsold
    Security:       CVE-2025-14558
---
 usr.sbin/rtsold/rtsol.c | 46 ++++++++++++++++++++++++++++++++++++++++------
 1 file changed, 40 insertions(+), 6 deletions(-)

diff --git a/usr.sbin/rtsold/rtsol.c b/usr.sbin/rtsold/rtsol.c
index 79928932ca5c..a7d5a44a7d44 100644
--- a/usr.sbin/rtsold/rtsol.c
+++ b/usr.sbin/rtsold/rtsol.c
@@ -776,6 +776,41 @@ call_script(const char *const argv[], struct script_msg_head_t *sm_head)
 		    argv[0], status);
 }
 
+#define	PERIOD 0x2e
+#define	hyphenchar(c) ((c) == 0x2d)
+#define	periodchar(c) ((c) == PERIOD)
+#define	alphachar(c) (((c) >= 0x41 && (c) <= 0x5a) || \
+	    ((c) >= 0x61 && (c) <= 0x7a))
+#define	digitchar(c) ((c) >= 0x30 && (c) <= 0x39)
+
+#define	borderchar(c) (alphachar(c) || digitchar(c))
+#define	middlechar(c) (borderchar(c) || hyphenchar(c))
+
+static int
+res_hnok(const char *dn)
+{
+	int pch = PERIOD, ch = *dn++;
+
+	while (ch != '\0') {
+		int nch = *dn++;
+
+		if (periodchar(ch)) {
+			;
+		} else if (periodchar(pch)) {
+			if (!borderchar(ch))
+				return (0);
+		} else if (periodchar(nch) || nch == '\0') {
+			if (!borderchar(ch))
+				return (0);
+		} else {
+			if (!middlechar(ch))
+				return (0);
+		}
+		pch = ch, ch = nch;
+	}
+	return (1);
+}
+
 /* Decode domain name label encoding in RFC 1035 Section 3.1 */
 static size_t
 dname_labeldec(char *dst, size_t dlen, const char *src)
@@ -804,12 +839,11 @@ dname_labeldec(char *dst, size_t dlen, const char *src)
 	}
 	*dst = '\0';
 
-	/*
-	 * XXX validate that domain name only contains valid characters
-	 * for two reasons: 1) correctness, 2) we do not want to pass
-	 * possible malicious, unescaped characters like `` to a script
-	 * or program that could be exploited that way.
-	 */
+	if (!res_hnok(dst_origin)) {
+		warnmsg(LOG_INFO, __func__,
+		    "invalid domain name '%s' was ignored", dst_origin);
+		return (0);
+	}
 
 	return (src - src_origin);
 }