Bug 238013 - Buffer overrun in function dname_labeldec in usr.sbin/rtadvctl/rtadvctl.c
Summary: Buffer overrun in function dname_labeldec in usr.sbin/rtadvctl/rtadvctl.c
Status: New
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Many People
Assignee: freebsd-bugs (Nobody)
Keywords: patch
Depends on:
Reported: 2019-05-21 07:04 UTC by Young
Modified: 2019-05-25 19:37 UTC (History)
1 user (show)

See Also:

Proposed patch (972 bytes, application/mbox)
2019-05-21 07:04 UTC, Young
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Young 2019-05-21 07:04:54 UTC
Created attachment 204501 [details]
Proposed patch

There is a buffer overrun vulnerability in function dname_labeldec in usr.sbin/rtadvctl/rtadvctl.c, which is same as vulnerability that was fixed in https://github.com/freebsd/freebsd/commit/a9647f4732da9b517eec6d174a7c1f2441443729.

static size_t
dname_labeldec(char *dst, size_t dlen, const char *src)
        size_t len;
        const char *src_origin;
        const char *src_last;
        const char *dst_origin;

        src_origin = src;
        src_last = strchr(src, '\0');
        dst_origin = dst;
        memset(dst, '\0', dlen);
        while (src && (len = (uint8_t)(*src++) & 0x3f) &&
            (src + len) <= src_last) {
                if (dst != dst_origin)
                        *dst++ = '.';
                mysyslog(LOG_DEBUG, "<%s> labellen = %zd", __func__, len);
                memcpy(dst, src, len);
                src += len;
                dst += len;
        *dst = '\0';

        return (src - src_origin);

In the condition of while, we should limit the range of variable dst.

The attachment is the proposed patch.