[Bug 238013] Buffer overrun in function dname_labeldec in usr.sbin/rtadvctl/rtadvctl.c

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Tue May 21 07:04:57 UTC 2019


            Bug ID: 238013
           Summary: Buffer overrun in function dname_labeldec in
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: kern
          Assignee: bugs at FreeBSD.org
          Reporter: yangx92 at hotmail.com

Created attachment 204501
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=204501&action=edit
Proposed patch

There is a buffer overrun vulnerability in function dname_labeldec in
usr.sbin/rtadvctl/rtadvctl.c, which is same as vulnerability that was fixed in

static size_t
dname_labeldec(char *dst, size_t dlen, const char *src)
        size_t len;
        const char *src_origin;
        const char *src_last;
        const char *dst_origin;

        src_origin = src;
        src_last = strchr(src, '\0');
        dst_origin = dst;
        memset(dst, '\0', dlen);
        while (src && (len = (uint8_t)(*src++) & 0x3f) &&
            (src + len) <= src_last) {
                if (dst != dst_origin)
                        *dst++ = '.';
                mysyslog(LOG_DEBUG, "<%s> labellen = %zd", __func__, len);
                memcpy(dst, src, len);
                src += len;
                dst += len;
        *dst = '\0';

        return (src - src_origin);

In the condition of while, we should limit the range of variable dst.

The attachment is the proposed patch.

You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list