diff options
author | delphij <delphij@FreeBSD.org> | 2014-10-21 20:20:36 +0000 |
---|---|---|
committer | delphij <delphij@FreeBSD.org> | 2014-10-21 20:20:36 +0000 |
commit | ff8a3b0a6f6b74e5191a4e24b2d007450e30700d (patch) | |
tree | d5b1542e5e99f8cb88b82b77bb6dfd31ea81c41b /usr.sbin | |
parent | c8355117f700e2cffc517edc3f7521665c326fca (diff) | |
download | FreeBSD-src-ff8a3b0a6f6b74e5191a4e24b2d007450e30700d.zip FreeBSD-src-ff8a3b0a6f6b74e5191a4e24b2d007450e30700d.tar.gz |
Fix rtsold(8) remote buffer overflow vulnerability. [SA-14:20]
Fix routed(8) remote denial of service vulnerability. [SA-14:21]
Fix memory leak in sandboxed namei lookup. [SA-14:22]
Approved by: re (so@ blanket)
Diffstat (limited to 'usr.sbin')
-rw-r--r-- | usr.sbin/rtsold/rtsol.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/usr.sbin/rtsold/rtsol.c b/usr.sbin/rtsold/rtsol.c index c9b3d44..118206a 100644 --- a/usr.sbin/rtsold/rtsol.c +++ b/usr.sbin/rtsold/rtsol.c @@ -933,7 +933,8 @@ dname_labeldec(char *dst, size_t dlen, const char *src) dst_origin = dst; memset(dst, '\0', dlen); while (src && (len = (uint8_t)(*src++) & 0x3f) && - (src + len) <= src_last) { + (src + len) <= src_last && + (dst - dst_origin < (ssize_t)dlen)) { if (dst != dst_origin) *dst++ = '.'; warnmsg(LOG_DEBUG, __func__, "labellen = %zd", len); |