The branch releng/14.4 has been updated by cperciva: URL: https://cgit.FreeBSD.org/src/commit/?id=f16fc39527ee758aca81085c11e2b677895ee4e5
commit f16fc39527ee758aca81085c11e2b677895ee4e5 Author: Dag-Erling Smørgrav <[email protected]> AuthorDate: 2026-02-13 15:57:50 +0000 Commit: Colin Percival <[email protected]> CommitDate: 2026-02-18 01:48:33 +0000 ngctl: Fix buffer overflow in config command Keep track of our buffer length when assembling the argument list. PR: 293075 MFC after: 1 week Reviewed by: zlei, markj Differential Revision: https://reviews.freebsd.org/D55259 (cherry picked from commit 59906a163e474c8d00bdebe226c4d47332b91bad) (cherry picked from commit e5bf728058da2b9cdc056e49bd82b57310588b3e) --- usr.sbin/ngctl/config.c | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/usr.sbin/ngctl/config.c b/usr.sbin/ngctl/config.c index 261bc950f570..611975ef5b10 100644 --- a/usr.sbin/ngctl/config.c +++ b/usr.sbin/ngctl/config.c @@ -62,7 +62,7 @@ ConfigCmd(int ac, char **av) struct ng_mesg *const resp = (struct ng_mesg *) sbuf; char *const status = (char *) resp->data; char *path; - char buf[NG_TEXTRESPONSE]; + char buf[NG_TEXTRESPONSE], *pos, *end; int nostat = 0, i; /* Get arguments */ @@ -70,20 +70,26 @@ ConfigCmd(int ac, char **av) return (CMDRTN_USAGE); path = av[1]; - *buf = '\0'; + pos = buf; + end = buf + sizeof(buf); for (i = 2; i < ac; i++) { - if (i != 2) - strcat(buf, " "); - strcat(buf, av[i]); + if (i > 2) { + if (pos == end) + return (CMDRTN_USAGE); + *pos++ = ' '; + } + if ((pos += strlcpy(pos, av[i], end - pos)) >= end) + return (CMDRTN_USAGE); } - + *pos = '\0'; + /* Get node config summary */ if (*buf != '\0') i = NgSendMsg(csock, path, NGM_GENERIC_COOKIE, - NGM_TEXT_CONFIG, buf, strlen(buf) + 1); + NGM_TEXT_CONFIG, buf, pos - buf + 1); else i = NgSendMsg(csock, path, NGM_GENERIC_COOKIE, - NGM_TEXT_CONFIG, NULL, 0); + NGM_TEXT_CONFIG, NULL, 0); if (i < 0) { switch (errno) { case EINVAL:
