Fix rtsold(8) remote buffer overflow vulnerability. [SA-14:20]

Fix routed(8) remote denial of service vulnerability. [SA-14:21] Fix memory leak in sandboxed namei lookup. [SA-14:22] Approved by: re (so@ blanket)
author: delphij <delphij@FreeBSD.org> 2014-10-21 20:20:36 +0000
committer: delphij <delphij@FreeBSD.org> 2014-10-21 20:20:36 +0000
commit: ff8a3b0a6f6b74e5191a4e24b2d007450e30700d (patch)
tree: d5b1542e5e99f8cb88b82b77bb6dfd31ea81c41b /usr.sbin
parent: c8355117f700e2cffc517edc3f7521665c326fca (diff)
download: FreeBSD-src-ff8a3b0a6f6b74e5191a4e24b2d007450e30700d.zip
FreeBSD-src-ff8a3b0a6f6b74e5191a4e24b2d007450e30700d.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/usr.sbin/rtsold/rtsol.c b/usr.sbin/rtsold/rtsol.c
index c9b3d44..118206a 100644
--- a/usr.sbin/rtsold/rtsol.c
+++ b/usr.sbin/rtsold/rtsol.c
@@ -933,7 +933,8 @@ dname_labeldec(char *dst, size_t dlen, const char *src)
 	dst_origin = dst;
 	memset(dst, '\0', dlen);
 	while (src && (len = (uint8_t)(*src++) & 0x3f) &&
-	    (src + len) <= src_last) {
+	    (src + len) <= src_last &&
+	    (dst - dst_origin < (ssize_t)dlen)) {
 		if (dst != dst_origin)
 			*dst++ = '.';
 		warnmsg(LOG_DEBUG, __func__, "labellen = %zd", len);
author	delphij <delphij@FreeBSD.org>	2014-10-21 20:20:36 +0000
committer	delphij <delphij@FreeBSD.org>	2014-10-21 20:20:36 +0000
commit	ff8a3b0a6f6b74e5191a4e24b2d007450e30700d (patch)
tree	d5b1542e5e99f8cb88b82b77bb6dfd31ea81c41b /usr.sbin
parent	c8355117f700e2cffc517edc3f7521665c326fca (diff)
download	FreeBSD-src-ff8a3b0a6f6b74e5191a4e24b2d007450e30700d.zip FreeBSD-src-ff8a3b0a6f6b74e5191a4e24b2d007450e30700d.tar.gz