Author: delphij
Date: Tue Oct 21 20:20:36 2014
New Revision: 273414
URL: https://svnweb.freebsd.org/changeset/base/273414
Log:
Fix rtsold(8) remote buffer overflow vulnerability. [SA-14:20]
Fix routed(8) remote denial of service vulnerability. [SA-14:21]
Fix memory leak in sandboxed namei lookup. [SA-14:22]
Approved by: re (so@ blanket)
Modified:
releng/10.1/sbin/routed/input.c
releng/10.1/sys/kern/vfs_lookup.c
releng/10.1/usr.sbin/rtsold/rtsol.c
Modified: releng/10.1/sbin/routed/input.c
==============================================================================
--- releng/10.1/sbin/routed/input.c Tue Oct 21 20:20:26 2014
(r273413)
+++ releng/10.1/sbin/routed/input.c Tue Oct 21 20:20:36 2014
(r273414)
@@ -288,6 +288,10 @@ input(struct sockaddr_in *from, /* rece
/* Answer a query from a utility program
* with all we know.
*/
+ if (aifp == NULL) {
+ trace_pkt("ignore remote query");
+ return;
+ }
if (from->sin_port != htons(RIP_PORT)) {
supply(from, aifp, OUT_QUERY, 0,
rip->rip_vers, ap != 0);
Modified: releng/10.1/sys/kern/vfs_lookup.c
==============================================================================
--- releng/10.1/sys/kern/vfs_lookup.c Tue Oct 21 20:20:26 2014
(r273413)
+++ releng/10.1/sys/kern/vfs_lookup.c Tue Oct 21 20:20:36 2014
(r273414)
@@ -121,6 +121,16 @@ TUNABLE_INT("vfs.lookup_shared", &lookup
* if symbolic link, massage name in buffer and continue
* }
*/
+static void
+namei_cleanup_cnp(struct componentname *cnp)
+{
+ uma_zfree(namei_zone, cnp->cn_pnbuf);
+#ifdef DIAGNOSTIC
+ cnp->cn_pnbuf = NULL;
+ cnp->cn_nameptr = NULL;
+#endif
+}
+
int
namei(struct nameidata *ndp)
{
@@ -185,11 +195,7 @@ namei(struct nameidata *ndp)
}
#endif
if (error) {
- uma_zfree(namei_zone, cnp->cn_pnbuf);
-#ifdef DIAGNOSTIC
- cnp->cn_pnbuf = NULL;
- cnp->cn_nameptr = NULL;
-#endif
+ namei_cleanup_cnp(cnp);
ndp->ni_vp = NULL;
return (error);
}
@@ -256,11 +262,7 @@ namei(struct nameidata *ndp)
}
}
if (error) {
- uma_zfree(namei_zone, cnp->cn_pnbuf);
-#ifdef DIAGNOSTIC
- cnp->cn_pnbuf = NULL;
- cnp->cn_nameptr = NULL;
-#endif
+ namei_cleanup_cnp(cnp);
return (error);
}
}
@@ -286,6 +288,7 @@ namei(struct nameidata *ndp)
if (KTRPOINT(curthread, KTR_CAPFAIL))
ktrcapfail(CAPFAIL_LOOKUP, NULL, NULL);
#endif
+ namei_cleanup_cnp(cnp);
return (ENOTCAPABLE);
}
while (*(cnp->cn_nameptr) == '/') {
@@ -298,11 +301,7 @@ namei(struct nameidata *ndp)
ndp->ni_startdir = dp;
error = lookup(ndp);
if (error) {
- uma_zfree(namei_zone, cnp->cn_pnbuf);
-#ifdef DIAGNOSTIC
- cnp->cn_pnbuf = NULL;
- cnp->cn_nameptr = NULL;
-#endif
+ namei_cleanup_cnp(cnp);
SDT_PROBE(vfs, namei, lookup, return, error, NULL, 0,
0, 0);
return (error);
@@ -312,11 +311,7 @@ namei(struct nameidata *ndp)
*/
if ((cnp->cn_flags & ISSYMLINK) == 0) {
if ((cnp->cn_flags & (SAVENAME | SAVESTART)) == 0) {
- uma_zfree(namei_zone, cnp->cn_pnbuf);
-#ifdef DIAGNOSTIC
- cnp->cn_pnbuf = NULL;
- cnp->cn_nameptr = NULL;
-#endif
+ namei_cleanup_cnp(cnp);
} else
cnp->cn_flags |= HASBUF;
@@ -378,11 +373,7 @@ namei(struct nameidata *ndp)
vput(ndp->ni_vp);
dp = ndp->ni_dvp;
}
- uma_zfree(namei_zone, cnp->cn_pnbuf);
-#ifdef DIAGNOSTIC
- cnp->cn_pnbuf = NULL;
- cnp->cn_nameptr = NULL;
-#endif
+ namei_cleanup_cnp(cnp);
vput(ndp->ni_vp);
ndp->ni_vp = NULL;
vrele(ndp->ni_dvp);
Modified: releng/10.1/usr.sbin/rtsold/rtsol.c
==============================================================================
--- releng/10.1/usr.sbin/rtsold/rtsol.c Tue Oct 21 20:20:26 2014
(r273413)
+++ releng/10.1/usr.sbin/rtsold/rtsol.c Tue Oct 21 20:20:36 2014
(r273414)
@@ -933,7 +933,8 @@ dname_labeldec(char *dst, size_t dlen, c
dst_origin = dst;
memset(dst, '\0', dlen);
while (src && (len = (uint8_t)(*src++) & 0x3f) &&
- (src + len) <= src_last) {
+ (src + len) <= src_last &&
+ (dst - dst_origin < (ssize_t)dlen)) {
if (dst != dst_origin)
*dst++ = '.';
warnmsg(LOG_DEBUG, __func__, "labellen = %zd", len);
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "[email protected]"
