Author: glebius
Date: Tue Dec 6 18:49:48 2016
New Revision: 309634
URL: https://svnweb.freebsd.org/changeset/base/309634
Log:
Fix possible login(1) argument injection in telnetd(8). [SA-16:36]
Fix link_ntoa(3) buffer overflow in libc. [SA-16:37]
Fix possible escape from bhyve(8) virtual machine. [SA-16:38]
Fix warnings about valid time zone abbreviations. [EN-16:19]
Update timezone database information. [EN-16:20]
Security: FreeBSD-SA-16:36.telnetd
Security: FreeBSD-SA-16:37.libc
Security: FreeBSD-SA-16:38.bhyve
Errata Notice: FreeBSD-EN-16:19.tzcode
Errata Notice: FreeBSD-EN-16:20.tzdata
Approved by: so
Modified:
releng/10.3/UPDATING
releng/10.3/contrib/telnet/telnetd/sys_term.c
releng/10.3/lib/libc/net/linkaddr.c
releng/10.3/lib/libvmmapi/vmmapi.c
releng/10.3/sys/conf/newvers.sh
Modified: releng/10.3/UPDATING
==============================================================================
--- releng/10.3/UPDATING Tue Dec 6 18:49:38 2016 (r309633)
+++ releng/10.3/UPDATING Tue Dec 6 18:49:48 2016 (r309634)
@@ -16,6 +16,18 @@ from older versions of FreeBSD, try WITH
stable/10, and then rebuild without this option. The bootstrap process from
older version of current is a bit fragile.
+20161206 p13 FreeBSD-SA-16:36.telnetd
+ FreeBSD-SA-16:37.libc
+ FreeBSD-SA-16:38.bhyve
+ FreeBSD-EN-16:19.tzcode
+ FreeBSD-EN-16:20.tzdata
+
+ Fix possible login(1) argument injection in telnetd(8). [SA-16:36]
+ Fix link_ntoa(3) buffer overflow in libc. [SA-16:37]
+ Fix possible escape from bhyve(8) virtual machine. [SA-16:38]
+ Fix warnings about valid time zone abbreviations. [EN-16:19]
+ Update timezone database information. [EN-16:20]
+
20161102 p12 FreeBSD-SA-16:33.openssh
FreeBSD-SA-16:35.openssl
Modified: releng/10.3/contrib/telnet/telnetd/sys_term.c
==============================================================================
--- releng/10.3/contrib/telnet/telnetd/sys_term.c Tue Dec 6 18:49:38
2016 (r309633)
+++ releng/10.3/contrib/telnet/telnetd/sys_term.c Tue Dec 6 18:49:48
2016 (r309634)
@@ -1159,7 +1159,7 @@ addarg(char **argv, const char *val)
*/
argv = (char **)malloc(sizeof(*argv) * 12);
if (argv == NULL)
- return(NULL);
+ fatal(net, "failure allocating argument space");
*argv++ = (char *)10;
*argv = (char *)0;
}
@@ -1170,11 +1170,12 @@ addarg(char **argv, const char *val)
*argv = (char *)((long)(*argv) + 10);
argv = (char **)realloc(argv, sizeof(*argv)*((long)(*argv) +
2));
if (argv == NULL)
- return(NULL);
+ fatal(net, "failure allocating argument space");
argv++;
cpp = &argv[(long)argv[-1] - 10];
}
- *cpp++ = strdup(val);
+ if ((*cpp++ = strdup(val)) == NULL)
+ fatal(net, "failure allocating argument space");
*cpp = 0;
return(argv);
}
Modified: releng/10.3/lib/libc/net/linkaddr.c
==============================================================================
--- releng/10.3/lib/libc/net/linkaddr.c Tue Dec 6 18:49:38 2016
(r309633)
+++ releng/10.3/lib/libc/net/linkaddr.c Tue Dec 6 18:49:48 2016
(r309634)
@@ -35,6 +35,7 @@ __FBSDID("$FreeBSD$");
#include <sys/types.h>
#include <sys/socket.h>
+#include <net/if.h>
#include <net/if_dl.h>
#include <string.h>
@@ -125,31 +126,47 @@ link_ntoa(sdl)
const struct sockaddr_dl *sdl;
{
static char obuf[64];
- char *out = obuf;
- int i;
- u_char *in = (u_char *)LLADDR(sdl);
- u_char *inlim = in + sdl->sdl_alen;
- int firsttime = 1;
-
- if (sdl->sdl_nlen) {
- bcopy(sdl->sdl_data, obuf, sdl->sdl_nlen);
- out += sdl->sdl_nlen;
- if (sdl->sdl_alen)
+ _Static_assert(sizeof(obuf) >= IFNAMSIZ + 20, "obuf is too small");
+ char *out;
+ const char *in, *inlim;
+ int namelen, i, rem;
+
+ namelen = (sdl->sdl_nlen <= IFNAMSIZ) ? sdl->sdl_nlen : IFNAMSIZ;
+
+ out = obuf;
+ rem = sizeof(obuf);
+ if (namelen > 0) {
+ bcopy(sdl->sdl_data, out, namelen);
+ out += namelen;
+ rem -= namelen;
+ if (sdl->sdl_alen > 0) {
*out++ = ':';
+ rem--;
+ }
}
- while (in < inlim) {
- if (firsttime)
- firsttime = 0;
- else
+
+ in = (const char *)sdl->sdl_data + sdl->sdl_nlen;
+ inlim = in + sdl->sdl_alen;
+
+ while (in < inlim && rem > 1) {
+ if (in != (const char *)sdl->sdl_data + sdl->sdl_nlen) {
*out++ = '.';
+ rem--;
+ }
i = *in++;
if (i > 0xf) {
- out[1] = hexlist[i & 0xf];
+ if (rem < 3)
+ break;
+ *out++ = hexlist[i & 0xf];
i >>= 4;
- out[0] = hexlist[i];
- out += 2;
- } else
*out++ = hexlist[i];
+ rem -= 2;
+ } else {
+ if (rem < 2)
+ break;
+ *out++ = hexlist[i];
+ rem++;
+ }
}
*out = 0;
return (obuf);
Modified: releng/10.3/lib/libvmmapi/vmmapi.c
==============================================================================
--- releng/10.3/lib/libvmmapi/vmmapi.c Tue Dec 6 18:49:38 2016
(r309633)
+++ releng/10.3/lib/libvmmapi/vmmapi.c Tue Dec 6 18:49:48 2016
(r309634)
@@ -427,13 +427,18 @@ vm_map_gpa(struct vmctx *ctx, vm_paddr_t
{
if (ctx->lowmem > 0) {
- if (gaddr < ctx->lowmem && gaddr + len <= ctx->lowmem)
+ if (gaddr < ctx->lowmem && len <= ctx->lowmem &&
+ gaddr + len <= ctx->lowmem)
return (ctx->baseaddr + gaddr);
}
if (ctx->highmem > 0) {
- if (gaddr >= 4*GB && gaddr + len <= 4*GB + ctx->highmem)
- return (ctx->baseaddr + gaddr);
+ if (gaddr >= 4*GB) {
+ if (gaddr < 4*GB + ctx->highmem &&
+ len <= ctx->highmem &&
+ gaddr + len <= 4*GB + ctx->highmem)
+ return (ctx->baseaddr + gaddr);
+ }
}
return (NULL);
Modified: releng/10.3/sys/conf/newvers.sh
==============================================================================
--- releng/10.3/sys/conf/newvers.sh Tue Dec 6 18:49:38 2016
(r309633)
+++ releng/10.3/sys/conf/newvers.sh Tue Dec 6 18:49:48 2016
(r309634)
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="10.3"
-BRANCH="RELEASE-p12"
+BRANCH="RELEASE-p13"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
_______________________________________________
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
