[Midnightbsd-cvs] src [6878] stable/0.5/usr.sbin/rtsold/rtsol.c: Due to a missing length check in the code that handles DNS parameters,
laffer1 at midnightbsd.org
laffer1 at midnightbsd.org
Tue Oct 21 18:12:06 EDT 2014
Revision: 6878
http://svnweb.midnightbsd.org/src/?rev=6878
Author: laffer1
Date: 2014-10-21 18:12:05 -0400 (Tue, 21 Oct 2014)
Log Message:
-----------
Due to a missing length check in the code that handles DNS parameters,
a malformed router advertisement message can result in a stack buffer
overflow in rtsold(8).
Obtained from: FreeBSD
Modified Paths:
--------------
stable/0.5/usr.sbin/rtsold/rtsol.c
Modified: stable/0.5/usr.sbin/rtsold/rtsol.c
===================================================================
--- stable/0.5/usr.sbin/rtsold/rtsol.c 2014-10-21 22:09:49 UTC (rev 6877)
+++ stable/0.5/usr.sbin/rtsold/rtsol.c 2014-10-21 22:12:05 UTC (rev 6878)
@@ -933,7 +933,8 @@
dst_origin = dst;
memset(dst, '\0', dlen);
while (src && (len = (uint8_t)(*src++) & 0x3f) &&
- (src + len) <= src_last) {
+ (src + len) <= src_last &&
+ (dst - dst_origin < (ssize_t)dlen)) {
if (dst != dst_origin)
*dst++ = '.';
warnmsg(LOG_DEBUG, __func__, "labellen = %zd", len);
More information about the Midnightbsd-cvs
mailing list