From owner-svn-src-all@freebsd.org  Tue Dec  6 18:50:08 2016
Return-Path: <owner-svn-src-all@freebsd.org>
Delivered-To: svn-src-all@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 08FC6C6A618;
 Tue,  6 Dec 2016 18:50:08 +0000 (UTC)
 (envelope-from glebius@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id BF88412FA;
 Tue,  6 Dec 2016 18:50:07 +0000 (UTC)
 (envelope-from glebius@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uB6Io61L017166;
 Tue, 6 Dec 2016 18:50:06 GMT (envelope-from glebius@FreeBSD.org)
Received: (from glebius@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id uB6Io6Do017161;
 Tue, 6 Dec 2016 18:50:06 GMT (envelope-from glebius@FreeBSD.org)
Message-Id: <201612061850.uB6Io6Do017161@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: glebius set sender to
 glebius@FreeBSD.org using -f
From: Gleb Smirnoff <glebius@FreeBSD.org>
Date: Tue, 6 Dec 2016 18:50:06 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-releng@freebsd.org
Subject: svn commit: r309637 - in releng/9.3: . contrib/telnet/telnetd
 lib/libc/net sys/conf
X-SVN-Group: releng
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
 user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all/>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Dec 2016 18:50:08 -0000

Author: glebius
Date: Tue Dec  6 18:50:06 2016
New Revision: 309637
URL: https://svnweb.freebsd.org/changeset/base/309637

Log:
  Fix possible login(1) argument injection in telnetd(8). [SA-16:36]
  Fix link_ntoa(3) buffer overflow in libc. [SA-16:37]
  Fix warnings about valid time zone abbreviations. [EN-16:19]
  Update timezone database information. [EN-16:20]
  
  Security:	FreeBSD-SA-16:36.telnetd
  Security:	FreeBSD-SA-16:37.libc
  Errata Notice:	FreeBSD-EN-16:19.tzcode
  Errata Notice:	FreeBSD-EN-16:20.tzdata
  Approved by:	so

Modified:
  releng/9.3/UPDATING
  releng/9.3/contrib/telnet/telnetd/sys_term.c
  releng/9.3/lib/libc/net/linkaddr.c
  releng/9.3/sys/conf/newvers.sh

Modified: releng/9.3/UPDATING
==============================================================================
--- releng/9.3/UPDATING	Tue Dec  6 18:49:59 2016	(r309636)
+++ releng/9.3/UPDATING	Tue Dec  6 18:50:06 2016	(r309637)
@@ -11,6 +11,16 @@ handbook:
 Items affecting the ports and packages system can be found in
 /usr/ports/UPDATING.  Please read that file before running portupgrade.
 
+20161206	p51	FreeBSD-SA-16:36.telnetd
+			FreeBSD-SA-16:37.libc
+			FreeBSD-EN-16:19.tzcode
+			FreeBSD-EN-16:20.tzdata
+
+	Fix possible login(1) argument injection in telnetd(8). [SA-16:36]
+	Fix link_ntoa(3) buffer overflow in libc. [SA-16:37]
+	Fix warnings about valid time zone abbreviations. [EN-16:19]
+	Update timezone database information. [EN-16:20]
+
 20161102	p50	FreeBSD-SA-16:34.bind
 			FreeBSD-SA-16:35.openssl
 

Modified: releng/9.3/contrib/telnet/telnetd/sys_term.c
==============================================================================
--- releng/9.3/contrib/telnet/telnetd/sys_term.c	Tue Dec  6 18:49:59 2016	(r309636)
+++ releng/9.3/contrib/telnet/telnetd/sys_term.c	Tue Dec  6 18:50:06 2016	(r309637)
@@ -1211,7 +1211,7 @@ addarg(char **argv, const char *val)
 		 */
 		argv = (char **)malloc(sizeof(*argv) * 12);
 		if (argv == NULL)
-			return(NULL);
+			fatal(net, "failure allocating argument space");
 		*argv++ = (char *)10;
 		*argv = (char *)0;
 	}
@@ -1222,11 +1222,12 @@ addarg(char **argv, const char *val)
 		*argv = (char *)((long)(*argv) + 10);
 		argv = (char **)realloc(argv, sizeof(*argv)*((long)(*argv) + 2));
 		if (argv == NULL)
-			return(NULL);
+			fatal(net, "failure allocating argument space");
 		argv++;
 		cpp = &argv[(long)argv[-1] - 10];
 	}
-	*cpp++ = strdup(val);
+	if ((*cpp++ = strdup(val)) == NULL)
+		fatal(net, "failure allocating argument space");
 	*cpp = 0;
 	return(argv);
 }

Modified: releng/9.3/lib/libc/net/linkaddr.c
==============================================================================
--- releng/9.3/lib/libc/net/linkaddr.c	Tue Dec  6 18:49:59 2016	(r309636)
+++ releng/9.3/lib/libc/net/linkaddr.c	Tue Dec  6 18:50:06 2016	(r309637)
@@ -35,6 +35,7 @@ __FBSDID("$FreeBSD$");
 
 #include <sys/types.h>
 #include <sys/socket.h>
+#include <net/if.h>
 #include <net/if_dl.h>
 #include <string.h>
 
@@ -125,31 +126,47 @@ link_ntoa(sdl)
 	const struct sockaddr_dl *sdl;
 {
 	static char obuf[64];
-	char *out = obuf;
-	int i;
-	u_char *in = (u_char *)LLADDR(sdl);
-	u_char *inlim = in + sdl->sdl_alen;
-	int firsttime = 1;
-
-	if (sdl->sdl_nlen) {
-		bcopy(sdl->sdl_data, obuf, sdl->sdl_nlen);
-		out += sdl->sdl_nlen;
-		if (sdl->sdl_alen)
+	_Static_assert(sizeof(obuf) >= IFNAMSIZ + 20, "obuf is too small");
+	char *out;
+	const char *in, *inlim;
+	int namelen, i, rem;
+
+	namelen = (sdl->sdl_nlen <= IFNAMSIZ) ? sdl->sdl_nlen : IFNAMSIZ;
+
+	out = obuf;
+	rem = sizeof(obuf);
+	if (namelen > 0) {
+		bcopy(sdl->sdl_data, out, namelen);
+		out += namelen;
+		rem -= namelen;
+		if (sdl->sdl_alen > 0) {
 			*out++ = ':';
+			rem--;
+		}
 	}
-	while (in < inlim) {
-		if (firsttime)
-			firsttime = 0;
-		else
+
+	in = (const char *)sdl->sdl_data + sdl->sdl_nlen;
+	inlim = in + sdl->sdl_alen;
+
+	while (in < inlim && rem > 1) {
+		if (in != (const char *)sdl->sdl_data + sdl->sdl_nlen) {
 			*out++ = '.';
+			rem--;
+		}
 		i = *in++;
 		if (i > 0xf) {
-			out[1] = hexlist[i & 0xf];
+			if (rem < 3)
+				break;
+			*out++ = hexlist[i & 0xf];
 			i >>= 4;
-			out[0] = hexlist[i];
-			out += 2;
-		} else
 			*out++ = hexlist[i];
+			rem -= 2;
+		} else {
+			if (rem < 2)
+				break;
+			*out++ = hexlist[i];
+			rem++;
+		}
 	}
 	*out = 0;
 	return (obuf);

Modified: releng/9.3/sys/conf/newvers.sh
==============================================================================
--- releng/9.3/sys/conf/newvers.sh	Tue Dec  6 18:49:59 2016	(r309636)
+++ releng/9.3/sys/conf/newvers.sh	Tue Dec  6 18:50:06 2016	(r309637)
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="9.3"
-BRANCH="RELEASE-p50"
+BRANCH="RELEASE-p51"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi