Date: Tue, 21 Oct 2014 20:20:37 +0000 (UTC) From: Xin LI <delphij@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r273414 - in releng/10.1: sbin/routed sys/kern usr.sbin/rtsold Message-ID: <201410212020.s9LKKbwR069684@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: delphij Date: Tue Oct 21 20:20:36 2014 New Revision: 273414 URL: https://svnweb.freebsd.org/changeset/base/273414 Log: Fix rtsold(8) remote buffer overflow vulnerability. [SA-14:20] Fix routed(8) remote denial of service vulnerability. [SA-14:21] Fix memory leak in sandboxed namei lookup. [SA-14:22] Approved by: re (so@ blanket) Modified: releng/10.1/sbin/routed/input.c releng/10.1/sys/kern/vfs_lookup.c releng/10.1/usr.sbin/rtsold/rtsol.c Modified: releng/10.1/sbin/routed/input.c ============================================================================== --- releng/10.1/sbin/routed/input.c Tue Oct 21 20:20:26 2014 (r273413) +++ releng/10.1/sbin/routed/input.c Tue Oct 21 20:20:36 2014 (r273414) @@ -288,6 +288,10 @@ input(struct sockaddr_in *from, /* rece /* Answer a query from a utility program * with all we know. */ + if (aifp == NULL) { + trace_pkt("ignore remote query"); + return; + } if (from->sin_port != htons(RIP_PORT)) { supply(from, aifp, OUT_QUERY, 0, rip->rip_vers, ap != 0); Modified: releng/10.1/sys/kern/vfs_lookup.c ============================================================================== --- releng/10.1/sys/kern/vfs_lookup.c Tue Oct 21 20:20:26 2014 (r273413) +++ releng/10.1/sys/kern/vfs_lookup.c Tue Oct 21 20:20:36 2014 (r273414) @@ -121,6 +121,16 @@ TUNABLE_INT("vfs.lookup_shared", &lookup * if symbolic link, massage name in buffer and continue * } */ +static void +namei_cleanup_cnp(struct componentname *cnp) +{ + uma_zfree(namei_zone, cnp->cn_pnbuf); +#ifdef DIAGNOSTIC + cnp->cn_pnbuf = NULL; + cnp->cn_nameptr = NULL; +#endif +} + int namei(struct nameidata *ndp) { @@ -185,11 +195,7 @@ namei(struct nameidata *ndp) } #endif if (error) { - uma_zfree(namei_zone, cnp->cn_pnbuf); -#ifdef DIAGNOSTIC - cnp->cn_pnbuf = NULL; - cnp->cn_nameptr = NULL; -#endif + namei_cleanup_cnp(cnp); ndp->ni_vp = NULL; return (error); } @@ -256,11 +262,7 @@ namei(struct nameidata *ndp) } } if (error) { - uma_zfree(namei_zone, cnp->cn_pnbuf); -#ifdef DIAGNOSTIC - cnp->cn_pnbuf = NULL; - cnp->cn_nameptr = NULL; -#endif + namei_cleanup_cnp(cnp); return (error); } } @@ -286,6 +288,7 @@ namei(struct nameidata *ndp) if (KTRPOINT(curthread, KTR_CAPFAIL)) ktrcapfail(CAPFAIL_LOOKUP, NULL, NULL); #endif + namei_cleanup_cnp(cnp); return (ENOTCAPABLE); } while (*(cnp->cn_nameptr) == '/') { @@ -298,11 +301,7 @@ namei(struct nameidata *ndp) ndp->ni_startdir = dp; error = lookup(ndp); if (error) { - uma_zfree(namei_zone, cnp->cn_pnbuf); -#ifdef DIAGNOSTIC - cnp->cn_pnbuf = NULL; - cnp->cn_nameptr = NULL; -#endif + namei_cleanup_cnp(cnp); SDT_PROBE(vfs, namei, lookup, return, error, NULL, 0, 0, 0); return (error); @@ -312,11 +311,7 @@ namei(struct nameidata *ndp) */ if ((cnp->cn_flags & ISSYMLINK) == 0) { if ((cnp->cn_flags & (SAVENAME | SAVESTART)) == 0) { - uma_zfree(namei_zone, cnp->cn_pnbuf); -#ifdef DIAGNOSTIC - cnp->cn_pnbuf = NULL; - cnp->cn_nameptr = NULL; -#endif + namei_cleanup_cnp(cnp); } else cnp->cn_flags |= HASBUF; @@ -378,11 +373,7 @@ namei(struct nameidata *ndp) vput(ndp->ni_vp); dp = ndp->ni_dvp; } - uma_zfree(namei_zone, cnp->cn_pnbuf); -#ifdef DIAGNOSTIC - cnp->cn_pnbuf = NULL; - cnp->cn_nameptr = NULL; -#endif + namei_cleanup_cnp(cnp); vput(ndp->ni_vp); ndp->ni_vp = NULL; vrele(ndp->ni_dvp); Modified: releng/10.1/usr.sbin/rtsold/rtsol.c ============================================================================== --- releng/10.1/usr.sbin/rtsold/rtsol.c Tue Oct 21 20:20:26 2014 (r273413) +++ releng/10.1/usr.sbin/rtsold/rtsol.c Tue Oct 21 20:20:36 2014 (r273414) @@ -933,7 +933,8 @@ dname_labeldec(char *dst, size_t dlen, c dst_origin = dst; memset(dst, '\0', dlen); while (src && (len = (uint8_t)(*src++) & 0x3f) && - (src + len) <= src_last) { + (src + len) <= src_last && + (dst - dst_origin < (ssize_t)dlen)) { if (dst != dst_origin) *dst++ = '.'; warnmsg(LOG_DEBUG, __func__, "labellen = %zd", len);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201410212020.s9LKKbwR069684>