From bf1aadd32323ef06d5262356a7c5db2ce6dfa1d6 Mon Sep 17 00:00:00 2001
From: glebius <glebius@FreeBSD.org>
Date: Tue, 6 Dec 2016 18:49:59 +0000
Subject: Fix possible login(1) argument injection in telnetd(8). [SA-16:36]
 Fix link_ntoa(3) buffer overflow in libc. [SA-16:37] Fix possible escape from
 bhyve(8) virtual machine. [SA-16:38] Fix warnings about valid time zone
 abbreviations. [EN-16:19] Update timezone database information. [EN-16:20]

Security:	FreeBSD-SA-16:36.telnetd
Security:	FreeBSD-SA-16:37.libc
Security:	FreeBSD-SA-16:38.bhyve
Errata Notice:	FreeBSD-EN-16:19.tzcode
Errata Notice:	FreeBSD-EN-16:20.tzdata
Approved by:	so
---
 UPDATING                          | 12 +++++++++
 contrib/telnet/telnetd/sys_term.c |  7 +++---
 lib/libc/net/linkaddr.c           | 51 ++++++++++++++++++++++++++-------------
 lib/libvmmapi/vmmapi.c            |  6 +++--
 sys/conf/newvers.sh               |  2 +-
 5 files changed, 55 insertions(+), 23 deletions(-)

diff --git a/UPDATING b/UPDATING
index 8a12dba..523ddfe 100644
--- a/UPDATING
+++ b/UPDATING
@@ -16,6 +16,18 @@ from older versions of FreeBSD, try WITHOUT_CLANG to bootstrap to the tip of
 stable/10, and then rebuild without this option. The bootstrap process from
 older version of current is a bit fragile.
 
+20161206	p43	FreeBSD-SA-16:36.telnetd
+			FreeBSD-SA-16:37.libc
+			FreeBSD-SA-16:38.bhyve
+			FreeBSD-EN-16:19.tzcode
+			FreeBSD-EN-16:20.tzdata
+
+	Fix possible login(1) argument injection in telnetd(8). [SA-16:36]
+	Fix link_ntoa(3) buffer overflow in libc. [SA-16:37]
+	Fix possible escape from bhyve(8) virtual machine. [SA-16:38]
+	Fix warnings about valid time zone abbreviations. [EN-16:19]
+	Update timezone database information. [EN-16:20]
+
 20161102	p42	FreeBSD-SA-16:35.openssl
 
 	Fix OpenSSL remote DoS vulnerability. [SA-16:35]
diff --git a/contrib/telnet/telnetd/sys_term.c b/contrib/telnet/telnetd/sys_term.c
index 6d06b28..6b7516e 100644
--- a/contrib/telnet/telnetd/sys_term.c
+++ b/contrib/telnet/telnetd/sys_term.c
@@ -1207,7 +1207,7 @@ addarg(char **argv, const char *val)
 		 */
 		argv = (char **)malloc(sizeof(*argv) * 12);
 		if (argv == NULL)
-			return(NULL);
+			fatal(net, "failure allocating argument space");
 		*argv++ = (char *)10;
 		*argv = (char *)0;
 	}
@@ -1218,11 +1218,12 @@ addarg(char **argv, const char *val)
 		*argv = (char *)((long)(*argv) + 10);
 		argv = (char **)realloc(argv, sizeof(*argv)*((long)(*argv) + 2));
 		if (argv == NULL)
-			return(NULL);
+			fatal(net, "failure allocating argument space");
 		argv++;
 		cpp = &argv[(long)argv[-1] - 10];
 	}
-	*cpp++ = strdup(val);
+	if ((*cpp++ = strdup(val)) == NULL)
+		fatal(net, "failure allocating argument space");
 	*cpp = 0;
 	return(argv);
 }
diff --git a/lib/libc/net/linkaddr.c b/lib/libc/net/linkaddr.c
index 5be6e74..f14f22d 100644
--- a/lib/libc/net/linkaddr.c
+++ b/lib/libc/net/linkaddr.c
@@ -35,6 +35,7 @@ __FBSDID("$FreeBSD$");
 
 #include <sys/types.h>
 #include <sys/socket.h>
+#include <net/if.h>
 #include <net/if_dl.h>
 #include <string.h>
 
@@ -125,31 +126,47 @@ link_ntoa(sdl)
 	const struct sockaddr_dl *sdl;
 {
 	static char obuf[64];
-	char *out = obuf;
-	int i;
-	u_char *in = (u_char *)LLADDR(sdl);
-	u_char *inlim = in + sdl->sdl_alen;
-	int firsttime = 1;
+	_Static_assert(sizeof(obuf) >= IFNAMSIZ + 20, "obuf is too small");
+	char *out;
+	const char *in, *inlim;
+	int namelen, i, rem;
 
-	if (sdl->sdl_nlen) {
-		bcopy(sdl->sdl_data, obuf, sdl->sdl_nlen);
-		out += sdl->sdl_nlen;
-		if (sdl->sdl_alen)
+	namelen = (sdl->sdl_nlen <= IFNAMSIZ) ? sdl->sdl_nlen : IFNAMSIZ;
+
+	out = obuf;
+	rem = sizeof(obuf);
+	if (namelen > 0) {
+		bcopy(sdl->sdl_data, out, namelen);
+		out += namelen;
+		rem -= namelen;
+		if (sdl->sdl_alen > 0) {
 			*out++ = ':';
+			rem--;
+		}
 	}
-	while (in < inlim) {
-		if (firsttime)
-			firsttime = 0;
-		else
+
+	in = (const char *)sdl->sdl_data + sdl->sdl_nlen;
+	inlim = in + sdl->sdl_alen;
+
+	while (in < inlim && rem > 1) {
+		if (in != (const char *)sdl->sdl_data + sdl->sdl_nlen) {
 			*out++ = '.';
+			rem--;
+		}
 		i = *in++;
 		if (i > 0xf) {
-			out[1] = hexlist[i & 0xf];
+			if (rem < 3)
+				break;
+			*out++ = hexlist[i & 0xf];
 			i >>= 4;
-			out[0] = hexlist[i];
-			out += 2;
-		} else
 			*out++ = hexlist[i];
+			rem -= 2;
+		} else {
+			if (rem < 2)
+				break;
+			*out++ = hexlist[i];
+			rem++;
+		}
 	}
 	*out = 0;
 	return (obuf);
diff --git a/lib/libvmmapi/vmmapi.c b/lib/libvmmapi/vmmapi.c
index 93955c7..55a3c5e 100644
--- a/lib/libvmmapi/vmmapi.c
+++ b/lib/libvmmapi/vmmapi.c
@@ -263,12 +263,14 @@ vm_map_gpa(struct vmctx *ctx, vm_paddr_t gaddr, size_t len)
 	/* XXX VM_MMAP_SPARSE not implemented yet */
 	assert(ctx->vms == VM_MMAP_ALL);
 
-	if (gaddr < ctx->lowmem && gaddr + len <= ctx->lowmem)
+	if (gaddr < ctx->lowmem && len <= ctx->lowmem &&
+	    gaddr + len <= ctx->lowmem)
 		return ((void *)(ctx->lowmem_addr + gaddr));
 
 	if (gaddr >= 4*GB) {
 		gaddr -= 4*GB;
-		if (gaddr < ctx->highmem && gaddr + len <= ctx->highmem)
+		if (gaddr < ctx->highmem && len <= ctx->highmem &&
+		    gaddr + len <= ctx->highmem)
 			return ((void *)(ctx->highmem_addr + gaddr));
 	}
 
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index 3841d8d..17c672b 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="10.1"
-BRANCH="RELEASE-p42"
+BRANCH="RELEASE-p43"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi
-- 
cgit v1.1