diff options
author | Gleb Smirnoff <glebius@FreeBSD.org> | 2016-12-06 18:50:06 +0000 |
---|---|---|
committer | Gleb Smirnoff <glebius@FreeBSD.org> | 2016-12-06 18:50:06 +0000 |
commit | eb302dbc19f895b99b9ca7521d05389ee7559d73 (patch) | |
tree | 80dd8959250cd173c1498318bbea2dcc29e2ae73 | |
parent | 2ec2a2e9b9bbe9e80ad07fc44c54e0a413720c00 (diff) | |
download | src-test2-eb302dbc19f895b99b9ca7521d05389ee7559d73.tar.gz src-test2-eb302dbc19f895b99b9ca7521d05389ee7559d73.zip |
Fix possible login(1) argument injection in telnetd(8). [SA-16:36]
Fix link_ntoa(3) buffer overflow in libc. [SA-16:37]
Fix warnings about valid time zone abbreviations. [EN-16:19]
Update timezone database information. [EN-16:20]
Security: FreeBSD-SA-16:36.telnetd
Security: FreeBSD-SA-16:37.libc
Errata Notice: FreeBSD-EN-16:19.tzcode
Errata Notice: FreeBSD-EN-16:20.tzdata
Approved by: so
Notes
Notes:
svn path=/releng/9.3/; revision=309637
-rw-r--r-- | UPDATING | 10 | ||||
-rw-r--r-- | contrib/telnet/telnetd/sys_term.c | 7 | ||||
-rw-r--r-- | lib/libc/net/linkaddr.c | 51 | ||||
-rw-r--r-- | sys/conf/newvers.sh | 2 |
4 files changed, 49 insertions, 21 deletions
@@ -11,6 +11,16 @@ handbook: Items affecting the ports and packages system can be found in /usr/ports/UPDATING. Please read that file before running portupgrade. +20161206 p51 FreeBSD-SA-16:36.telnetd + FreeBSD-SA-16:37.libc + FreeBSD-EN-16:19.tzcode + FreeBSD-EN-16:20.tzdata + + Fix possible login(1) argument injection in telnetd(8). [SA-16:36] + Fix link_ntoa(3) buffer overflow in libc. [SA-16:37] + Fix warnings about valid time zone abbreviations. [EN-16:19] + Update timezone database information. [EN-16:20] + 20161102 p50 FreeBSD-SA-16:34.bind FreeBSD-SA-16:35.openssl diff --git a/contrib/telnet/telnetd/sys_term.c b/contrib/telnet/telnetd/sys_term.c index a7b0075f387d..fa7050d68ef0 100644 --- a/contrib/telnet/telnetd/sys_term.c +++ b/contrib/telnet/telnetd/sys_term.c @@ -1211,7 +1211,7 @@ addarg(char **argv, const char *val) */ argv = (char **)malloc(sizeof(*argv) * 12); if (argv == NULL) - return(NULL); + fatal(net, "failure allocating argument space"); *argv++ = (char *)10; *argv = (char *)0; } @@ -1222,11 +1222,12 @@ addarg(char **argv, const char *val) *argv = (char *)((long)(*argv) + 10); argv = (char **)realloc(argv, sizeof(*argv)*((long)(*argv) + 2)); if (argv == NULL) - return(NULL); + fatal(net, "failure allocating argument space"); argv++; cpp = &argv[(long)argv[-1] - 10]; } - *cpp++ = strdup(val); + if ((*cpp++ = strdup(val)) == NULL) + fatal(net, "failure allocating argument space"); *cpp = 0; return(argv); } diff --git a/lib/libc/net/linkaddr.c b/lib/libc/net/linkaddr.c index 86bb7a2955ee..9b1da65450ec 100644 --- a/lib/libc/net/linkaddr.c +++ b/lib/libc/net/linkaddr.c @@ -35,6 +35,7 @@ __FBSDID("$FreeBSD$"); #include <sys/types.h> #include <sys/socket.h> +#include <net/if.h> #include <net/if_dl.h> #include <string.h> @@ -125,31 +126,47 @@ link_ntoa(sdl) const struct sockaddr_dl *sdl; { static char obuf[64]; - char *out = obuf; - int i; - u_char *in = (u_char *)LLADDR(sdl); - u_char *inlim = in + sdl->sdl_alen; - int firsttime = 1; + _Static_assert(sizeof(obuf) >= IFNAMSIZ + 20, "obuf is too small"); + char *out; + const char *in, *inlim; + int namelen, i, rem; - if (sdl->sdl_nlen) { - bcopy(sdl->sdl_data, obuf, sdl->sdl_nlen); - out += sdl->sdl_nlen; - if (sdl->sdl_alen) + namelen = (sdl->sdl_nlen <= IFNAMSIZ) ? sdl->sdl_nlen : IFNAMSIZ; + + out = obuf; + rem = sizeof(obuf); + if (namelen > 0) { + bcopy(sdl->sdl_data, out, namelen); + out += namelen; + rem -= namelen; + if (sdl->sdl_alen > 0) { *out++ = ':'; + rem--; + } } - while (in < inlim) { - if (firsttime) - firsttime = 0; - else + + in = (const char *)sdl->sdl_data + sdl->sdl_nlen; + inlim = in + sdl->sdl_alen; + + while (in < inlim && rem > 1) { + if (in != (const char *)sdl->sdl_data + sdl->sdl_nlen) { *out++ = '.'; + rem--; + } i = *in++; if (i > 0xf) { - out[1] = hexlist[i & 0xf]; + if (rem < 3) + break; + *out++ = hexlist[i & 0xf]; i >>= 4; - out[0] = hexlist[i]; - out += 2; - } else *out++ = hexlist[i]; + rem -= 2; + } else { + if (rem < 2) + break; + *out++ = hexlist[i]; + rem++; + } } *out = 0; return (obuf); diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh index 5398221d4025..460177f397f1 100644 --- a/sys/conf/newvers.sh +++ b/sys/conf/newvers.sh @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="9.3" -BRANCH="RELEASE-p50" +BRANCH="RELEASE-p51" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi |