diff options
author | glebius <glebius@FreeBSD.org> | 2016-12-06 18:49:48 +0000 |
---|---|---|
committer | glebius <glebius@FreeBSD.org> | 2016-12-06 18:49:48 +0000 |
commit | 7039a85a068b696972fcc41b36349977d9889a9a (patch) | |
tree | 9e1428b58013365e340bfb13bda0891a8e9149ce /lib | |
parent | e0d95c380e7a6c1d929bc17b18aa2cd374506980 (diff) | |
download | FreeBSD-src-7039a85a068b696972fcc41b36349977d9889a9a.zip FreeBSD-src-7039a85a068b696972fcc41b36349977d9889a9a.tar.gz |
Fix possible login(1) argument injection in telnetd(8). [SA-16:36]
Fix link_ntoa(3) buffer overflow in libc. [SA-16:37]
Fix possible escape from bhyve(8) virtual machine. [SA-16:38]
Fix warnings about valid time zone abbreviations. [EN-16:19]
Update timezone database information. [EN-16:20]
Security: FreeBSD-SA-16:36.telnetd
Security: FreeBSD-SA-16:37.libc
Security: FreeBSD-SA-16:38.bhyve
Errata Notice: FreeBSD-EN-16:19.tzcode
Errata Notice: FreeBSD-EN-16:20.tzdata
Approved by: so
Diffstat (limited to 'lib')
-rw-r--r-- | lib/libc/net/linkaddr.c | 51 | ||||
-rw-r--r-- | lib/libvmmapi/vmmapi.c | 11 |
2 files changed, 42 insertions, 20 deletions
diff --git a/lib/libc/net/linkaddr.c b/lib/libc/net/linkaddr.c index 5be6e74..f14f22d 100644 --- a/lib/libc/net/linkaddr.c +++ b/lib/libc/net/linkaddr.c @@ -35,6 +35,7 @@ __FBSDID("$FreeBSD$"); #include <sys/types.h> #include <sys/socket.h> +#include <net/if.h> #include <net/if_dl.h> #include <string.h> @@ -125,31 +126,47 @@ link_ntoa(sdl) const struct sockaddr_dl *sdl; { static char obuf[64]; - char *out = obuf; - int i; - u_char *in = (u_char *)LLADDR(sdl); - u_char *inlim = in + sdl->sdl_alen; - int firsttime = 1; + _Static_assert(sizeof(obuf) >= IFNAMSIZ + 20, "obuf is too small"); + char *out; + const char *in, *inlim; + int namelen, i, rem; - if (sdl->sdl_nlen) { - bcopy(sdl->sdl_data, obuf, sdl->sdl_nlen); - out += sdl->sdl_nlen; - if (sdl->sdl_alen) + namelen = (sdl->sdl_nlen <= IFNAMSIZ) ? sdl->sdl_nlen : IFNAMSIZ; + + out = obuf; + rem = sizeof(obuf); + if (namelen > 0) { + bcopy(sdl->sdl_data, out, namelen); + out += namelen; + rem -= namelen; + if (sdl->sdl_alen > 0) { *out++ = ':'; + rem--; + } } - while (in < inlim) { - if (firsttime) - firsttime = 0; - else + + in = (const char *)sdl->sdl_data + sdl->sdl_nlen; + inlim = in + sdl->sdl_alen; + + while (in < inlim && rem > 1) { + if (in != (const char *)sdl->sdl_data + sdl->sdl_nlen) { *out++ = '.'; + rem--; + } i = *in++; if (i > 0xf) { - out[1] = hexlist[i & 0xf]; + if (rem < 3) + break; + *out++ = hexlist[i & 0xf]; i >>= 4; - out[0] = hexlist[i]; - out += 2; - } else *out++ = hexlist[i]; + rem -= 2; + } else { + if (rem < 2) + break; + *out++ = hexlist[i]; + rem++; + } } *out = 0; return (obuf); diff --git a/lib/libvmmapi/vmmapi.c b/lib/libvmmapi/vmmapi.c index fb8eb78..33a3b44 100644 --- a/lib/libvmmapi/vmmapi.c +++ b/lib/libvmmapi/vmmapi.c @@ -427,13 +427,18 @@ vm_map_gpa(struct vmctx *ctx, vm_paddr_t gaddr, size_t len) { if (ctx->lowmem > 0) { - if (gaddr < ctx->lowmem && gaddr + len <= ctx->lowmem) + if (gaddr < ctx->lowmem && len <= ctx->lowmem && + gaddr + len <= ctx->lowmem) return (ctx->baseaddr + gaddr); } if (ctx->highmem > 0) { - if (gaddr >= 4*GB && gaddr + len <= 4*GB + ctx->highmem) - return (ctx->baseaddr + gaddr); + if (gaddr >= 4*GB) { + if (gaddr < 4*GB + ctx->highmem && + len <= ctx->highmem && + gaddr + len <= 4*GB + ctx->highmem) + return (ctx->baseaddr + gaddr); + } } return (NULL); |