[Bug 238013] Buffer overrun in function dname_labeldec in usr.sbin/rtadvctl/rtadvctl.c
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Tue May 21 07:04:57 UTC 2019
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=238013
Bug ID: 238013
Summary: Buffer overrun in function dname_labeldec in
usr.sbin/rtadvctl/rtadvctl.c
Product: Base System
Version: CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Many People
Priority: ---
Component: kern
Assignee: bugs at FreeBSD.org
Reporter: yangx92 at hotmail.com
Created attachment 204501
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=204501&action=edit
Proposed patch
There is a buffer overrun vulnerability in function dname_labeldec in
usr.sbin/rtadvctl/rtadvctl.c, which is same as vulnerability that was fixed in
https://github.com/freebsd/freebsd/commit/a9647f4732da9b517eec6d174a7c1f2441443729.
static size_t
dname_labeldec(char *dst, size_t dlen, const char *src)
{
size_t len;
const char *src_origin;
const char *src_last;
const char *dst_origin;
src_origin = src;
src_last = strchr(src, '\0');
dst_origin = dst;
memset(dst, '\0', dlen);
while (src && (len = (uint8_t)(*src++) & 0x3f) &&
(src + len) <= src_last) {
if (dst != dst_origin)
*dst++ = '.';
mysyslog(LOG_DEBUG, "<%s> labellen = %zd", __func__, len);
memcpy(dst, src, len);
src += len;
dst += len;
}
*dst = '\0';
return (src - src_origin);
}
In the condition of while, we should limit the range of variable dst.
The attachment is the proposed patch.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list