Created attachment 204501 [details] Proposed patch There is a buffer overrun vulnerability in function dname_labeldec in usr.sbin/rtadvctl/rtadvctl.c, which is same as vulnerability that was fixed in https://github.com/freebsd/freebsd/commit/a9647f4732da9b517eec6d174a7c1f2441443729. static size_t dname_labeldec(char *dst, size_t dlen, const char *src) { size_t len; const char *src_origin; const char *src_last; const char *dst_origin; src_origin = src; src_last = strchr(src, '\0'); dst_origin = dst; memset(dst, '\0', dlen); while (src && (len = (uint8_t)(*src++) & 0x3f) && (src + len) <= src_last) { if (dst != dst_origin) *dst++ = '.'; mysyslog(LOG_DEBUG, "<%s> labellen = %zd", __func__, len); memcpy(dst, src, len); src += len; dst += len; } *dst = '\0'; return (src - src_origin); } In the condition of while, we should limit the range of variable dst. The attachment is the proposed patch.
Comment on attachment 204501 [details] Proposed patch ^Triage: convert this to text/plain and set the Patch flag so that the automation can see it.