Re: FreeBSD-SA-25:12.rtsold.asc clarification needed

Reply: Polarian : "Re: FreeBSD-SA-25:12.rtsold.asc clarification needed"
In reply to: Polarian : "Re: FreeBSD-SA-25:12.rtsold.asc clarification needed"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: mike tancsa <mike_at_sentex.net>
Date: Mon, 22 Dec 2025 21:25:44 UTC

On 12/22/2025 4:11 PM, Polarian wrote:
> Hey,
>
>> I only see a code change for the userland daemon. Is that code
>> somehow being pulled into the the kernel during buildworld ?
> Both rtsold and rtsol afaik are userland. I have not inspected the
> build, but someone else from #freebsd did and stated both of them are
> compiled together.

I am trying to understand if rtsold is not running and not enabled, what 
from the kernel would spin that up to expose the code path that is 
patched in the advisory?

There is only one file (userland) touched in the patch (its below). 
rtsol is based on /usr/src/usr.sbin/rtsold so the one patch seems to 
cover both of those userland files.  I dont see any archive of the irc 
chat. Do you have the text from that explaining how this code path gets 
called ? I have never heard of userland src files in FreeBSD being 
included in the kernel. Your friend is certain of this ?


--- usr.sbin/rtsold/rtsol.c.orig
+++ usr.sbin/rtsold/rtsol.c
@@ -776,6 +776,41 @@
                     argv[0], status);
  }

+#define        PERIOD 0x2e
+#define        hyphenchar(c) ((c) == 0x2d)
+#define        periodchar(c) ((c) == PERIOD)
+#define        alphachar(c) (((c) >= 0x41 && (c) <= 0x5a) || \
+           ((c) >= 0x61 && (c) <= 0x7a))
+#define        digitchar(c) ((c) >= 0x30 && (c) <= 0x39)
+
+#define        borderchar(c) (alphachar(c) || digitchar(c))
+#define        middlechar(c) (borderchar(c) || hyphenchar(c))
+
+static int
+res_hnok(const char *dn)
+{
+       int pch = PERIOD, ch = *dn++;
+
+       while (ch != '\0') {
+               int nch = *dn++;
+
+               if (periodchar(ch)) {
+                       ;
+               } else if (periodchar(pch)) {
+                       if (!borderchar(ch))
+                               return (0);
+               } else if (periodchar(nch) || nch == '\0') {
+                       if (!borderchar(ch))
+                               return (0);
+               } else {
+                       if (!middlechar(ch))
+                               return (0);
+               }
+               pch = ch, ch = nch;
+       }
+       return (1);
+}
+
  /* Decode domain name label encoding in RFC 1035 Section 3.1 */
  static size_t
  dname_labeldec(char *dst, size_t dlen, const char *src)
@@ -804,12 +839,11 @@
         }
         *dst = '\0';

-       /*
-        * XXX validate that domain name only contains valid characters
-        * for two reasons: 1) correctness, 2) we do not want to pass
-        * possible malicious, unescaped characters like `` to a script
-        * or program that could be exploited that way.
-        */
+       if (!res_hnok(dst_origin)) {
+               warnmsg(LOG_INFO, __func__,
+                   "invalid domain name '%s' was ignored", dst_origin);
+               return (0);
+       }

         return (src - src_origin);
  }


     ---Mike