From 0c3089f7ac357bfd66b08678db5a22892f3bbccb Mon Sep 17 00:00:00 2001 From: Gordon Tetlow Date: Tue, 1 Dec 2020 19:39:44 +0000 Subject: [PATCH] Fix multiple vulnerabilities in rtsold. Approved by: so Security: FreeBSD-SA-20:32.rtsold Security: CVE-2020-25577 --- usr.sbin/rtsold/rtsol.c | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/usr.sbin/rtsold/rtsol.c b/usr.sbin/rtsold/rtsol.c index a10cd4c510d..9eb7bc25236 100644 --- a/usr.sbin/rtsold/rtsol.c +++ b/usr.sbin/rtsold/rtsol.c @@ -390,8 +390,8 @@ rtsol_input(int s) newent_rai = 1; } -#define RA_OPT_NEXT_HDR(x) (struct nd_opt_hdr *)((char *)x + \ - (((struct nd_opt_hdr *)x)->nd_opt_len * 8)) +#define RA_OPT_NEXT_HDR(x) (struct nd_opt_hdr *)((char *)(x) + \ + (((struct nd_opt_hdr *)(x))->nd_opt_len * 8)) /* Process RA options. */ warnmsg(LOG_DEBUG, __func__, "Processing RA"); raoptp = (char *)icp + sizeof(struct nd_router_advert); @@ -403,6 +403,15 @@ rtsol_input(int s) warnmsg(LOG_DEBUG, __func__, "ndo->nd_opt_len = %d", ndo->nd_opt_len); + if (ndo->nd_opt_len == 0) { + warnmsg(LOG_INFO, __func__, "invalid option length 0."); + break; + } + if ((char *)RA_OPT_NEXT_HDR(raoptp) > (char *)icp + msglen) { + warnmsg(LOG_INFO, __func__, "option length overflow."); + break; + } + switch (ndo->nd_opt_type) { case ND_OPT_RDNSS: rdnss = (struct nd_opt_rdnss *)raoptp; @@ -924,15 +933,18 @@ dname_labeldec(char *dst, size_t dlen, const char *src) src_last = strchr(src, '\0'); dst_origin = dst; memset(dst, '\0', dlen); - while (src && (len = (uint8_t)(*src++) & 0x3f) && - (src + len) <= src_last && - (dst - dst_origin < (ssize_t)dlen)) { - if (dst != dst_origin) + while ((len = (*src++) & 0x3f) && + src + len <= src_last && + len + 1 + (dst == dst_origin ? 0 : 1) <= dlen) { + if (dst != dst_origin) { *dst++ = '.'; + dlen--; + } warnmsg(LOG_DEBUG, __func__, "labellen = %zd", len); memcpy(dst, src, len); src += len; dst += len; + dlen -= len; } *dst = '\0'; -- 2.45.0