- Add another length check for DNSSL option. A malformed ICMP message can have

no '\0' in the search list and/or invalid length field. - NI_MAXHOST is defined including \0.
author: hrs <hrs@FreeBSD.org> 2011-06-04 01:11:34 +0000
committer: hrs <hrs@FreeBSD.org> 2011-06-04 01:11:34 +0000
commit: 414167aef9f91f9b70350d9b86f0381d619b091b (patch)
tree: fc9f3786b8c053b02b4af9e2288ee06e958eecf4 /usr.sbin/rtadvd
parent: d45e9a2064d99aea984c4b96d47bb3b7c29b42d3 (diff)
download: FreeBSD-src-414167aef9f91f9b70350d9b86f0381d619b091b.zip
FreeBSD-src-414167aef9f91f9b70350d9b86f0381d619b091b.tar.gz
1 files changed, 5 insertions, 2 deletions
diff --git a/usr.sbin/rtadvd/dump.c b/usr.sbin/rtadvd/dump.c
index 97dc122..704d5d8 100644
--- a/usr.sbin/rtadvd/dump.c
+++ b/usr.sbin/rtadvd/dump.c
@@ -254,7 +254,7 @@ if_dump(void)
 
 		TAILQ_FOREACH(dns, &rai->dnssl, dn_next) {
 			struct dnssl_addr *dnsa;
-			char buf[NI_MAXHOST + 1];
+			char buf[NI_MAXHOST];
 
 			if (dns == TAILQ_FIRST(&rai->dnssl))
 				fprintf(fp, "  DNS search list:\n"
@@ -295,12 +295,15 @@ dname_labeldec(char *dst, size_t dlen, const char *src)
 {
 	size_t len;
 	const char *src_origin;
+	const char *src_last;
 	const char *dst_origin;
 
 	src_origin = src;
+	src_last = strchr(src, '\0');
 	dst_origin = dst;
 	memset(dst, '\0', dlen);
-	while (src && (len = (uint8_t)(*src++) & 0x3f)) {
+	while (src && (len = (uint8_t)(*src++) & 0x3f) &&
+	    (src + len) <= src_last) {
 		if (dst != dst_origin)
 			*dst++ = '.';
 		syslog(LOG_DEBUG, "<%s> labellen = %d", __func__, len);
author	hrs <hrs@FreeBSD.org>	2011-06-04 01:11:34 +0000
committer	hrs <hrs@FreeBSD.org>	2011-06-04 01:11:34 +0000
commit	414167aef9f91f9b70350d9b86f0381d619b091b (patch)
tree	fc9f3786b8c053b02b4af9e2288ee06e958eecf4 /usr.sbin/rtadvd
parent	d45e9a2064d99aea984c4b96d47bb3b7c29b42d3 (diff)
download	FreeBSD-src-414167aef9f91f9b70350d9b86f0381d619b091b.zip FreeBSD-src-414167aef9f91f9b70350d9b86f0381d619b091b.tar.gz