The branch stable/13 has been updated by gad:
URL:
https://cgit.FreeBSD.org/src/commit/?id=ca927128bf6a92abce27151fbb1ab112fd2a8385
commit ca927128bf6a92abce27151fbb1ab112fd2a8385
Author: Garance A Drosehn <g...@freebsd.org>
AuthorDate: 2021-12-30 20:45:13 +0000
Commit: Garance A Drosehn <g...@freebsd.org>
CommitDate: 2023-09-23 21:04:40 +0000
When parsing a rule to rotate log files on a specific week day,
parseDWM() can advance the time to the next week. If the next week is
in the next month, then tm_mon is incremented. However, the increment
was failing to handle the wraparound from December to January, so when
parsing a rule during the last week of the December, the month would
advance to month 12. This triggered an out-of-bounds read of the
mtab[] array in days_pmonth() after parseDWM() returned. To fix,
this change resets the month to January and increment the year when
the month increment wraps.
The default rule for /var/log/weekly.log triggers this during the
last week of December each year.
Reported by: CHERI
Obtained from: CheriBSD
Reviewed by: jhb
Sponsored by: The University of Cambridge, Google Inc.
Differential Revision: <https://reviews.freebsd.org/D33687>
(cherry picked from commit b7b447fd4ca327faa99b2f16e6cbd61c86c75f04)
---
usr.sbin/newsyslog/ptimes.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/usr.sbin/newsyslog/ptimes.c b/usr.sbin/newsyslog/ptimes.c
index 06bdffdda084..792ad3e1727d 100644
--- a/usr.sbin/newsyslog/ptimes.c
+++ b/usr.sbin/newsyslog/ptimes.c
@@ -277,6 +277,10 @@ parseDWM(struct ptime_data *ptime, const char *s)
if (tm.tm_mday > daysmon) {
tm.tm_mon++;
tm.tm_mday = tm.tm_mday - daysmon;
+ if (tm.tm_mon >= 12) {
+ tm.tm_mon = 0;
+ tm.tm_year++;
+ }
}
}
break;
