Fix rtsold(8) remote buffer overflow vulnerability. [SA-14:20]

Fix memory leak in sandboxed namei lookup. [SA-14:22]
author: delphij <delphij@FreeBSD.org> 2014-10-21 20:20:07 +0000
committer: delphij <delphij@FreeBSD.org> 2014-10-21 20:20:07 +0000
commit: 86df2c268fe2029d1252ce4749276b08f63686d3 (patch)
tree: 2e5146094191f4ae2f9b6865014442b39630b2de /usr.sbin/rtsold
parent: 6c5ddf4faffa85f792151d8ca53ecff60f5f3bb5 (diff)
download: FreeBSD-src-86df2c268fe2029d1252ce4749276b08f63686d3.zip
FreeBSD-src-86df2c268fe2029d1252ce4749276b08f63686d3.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/usr.sbin/rtsold/rtsol.c b/usr.sbin/rtsold/rtsol.c
index c9b3d44..118206a 100644
--- a/usr.sbin/rtsold/rtsol.c
+++ b/usr.sbin/rtsold/rtsol.c
@@ -933,7 +933,8 @@ dname_labeldec(char *dst, size_t dlen, const char *src)
 	dst_origin = dst;
 	memset(dst, '\0', dlen);
 	while (src && (len = (uint8_t)(*src++) & 0x3f) &&
-	    (src + len) <= src_last) {
+	    (src + len) <= src_last &&
+	    (dst - dst_origin < (ssize_t)dlen)) {
 		if (dst != dst_origin)
 			*dst++ = '.';
 		warnmsg(LOG_DEBUG, __func__, "labellen = %zd", len);
author	delphij <delphij@FreeBSD.org>	2014-10-21 20:20:07 +0000
committer	delphij <delphij@FreeBSD.org>	2014-10-21 20:20:07 +0000
commit	86df2c268fe2029d1252ce4749276b08f63686d3 (patch)
tree	2e5146094191f4ae2f9b6865014442b39630b2de /usr.sbin/rtsold
parent	6c5ddf4faffa85f792151d8ca53ecff60f5f3bb5 (diff)
download	FreeBSD-src-86df2c268fe2029d1252ce4749276b08f63686d3.zip FreeBSD-src-86df2c268fe2029d1252ce4749276b08f63686d3.tar.gz