svn commit: r273412 - in stable/9: sbin/routed sys/kern usr.sbin/rtsold
Xin LI
delphij at FreeBSD.org
Tue Oct 21 20:20:18 UTC 2014
Author: delphij
Date: Tue Oct 21 20:20:17 2014
New Revision: 273412
URL: https://svnweb.freebsd.org/changeset/base/273412
Log:
Fix rtsold(8) remote buffer overflow vulnerability. [SA-14:20]
Fix routed(8) remote denial of service vulnerability. [SA-14:21]
Fix memory leak in sandboxed namei lookup. [SA-14:22]
Modified:
stable/9/sbin/routed/input.c
stable/9/sys/kern/vfs_lookup.c
stable/9/usr.sbin/rtsold/rtsol.c
Modified: stable/9/sbin/routed/input.c
==============================================================================
--- stable/9/sbin/routed/input.c Tue Oct 21 20:20:07 2014 (r273411)
+++ stable/9/sbin/routed/input.c Tue Oct 21 20:20:17 2014 (r273412)
@@ -288,6 +288,10 @@ input(struct sockaddr_in *from, /* rece
/* Answer a query from a utility program
* with all we know.
*/
+ if (aifp == NULL) {
+ trace_pkt("ignore remote query");
+ return;
+ }
if (from->sin_port != htons(RIP_PORT)) {
supply(from, aifp, OUT_QUERY, 0,
rip->rip_vers, ap != 0);
Modified: stable/9/sys/kern/vfs_lookup.c
==============================================================================
--- stable/9/sys/kern/vfs_lookup.c Tue Oct 21 20:20:07 2014 (r273411)
+++ stable/9/sys/kern/vfs_lookup.c Tue Oct 21 20:20:17 2014 (r273412)
@@ -121,6 +121,16 @@ TUNABLE_INT("vfs.lookup_shared", &lookup
* if symbolic link, massage name in buffer and continue
* }
*/
+static void
+namei_cleanup_cnp(struct componentname *cnp)
+{
+ uma_zfree(namei_zone, cnp->cn_pnbuf);
+#ifdef DIAGNOSTIC
+ cnp->cn_pnbuf = NULL;
+ cnp->cn_nameptr = NULL;
+#endif
+}
+
int
namei(struct nameidata *ndp)
{
@@ -182,11 +192,7 @@ namei(struct nameidata *ndp)
}
#endif
if (error) {
- uma_zfree(namei_zone, cnp->cn_pnbuf);
-#ifdef DIAGNOSTIC
- cnp->cn_pnbuf = NULL;
- cnp->cn_nameptr = NULL;
-#endif
+ namei_cleanup_cnp(cnp);
ndp->ni_vp = NULL;
return (error);
}
@@ -248,11 +254,7 @@ namei(struct nameidata *ndp)
}
}
if (error) {
- uma_zfree(namei_zone, cnp->cn_pnbuf);
-#ifdef DIAGNOSTIC
- cnp->cn_pnbuf = NULL;
- cnp->cn_nameptr = NULL;
-#endif
+ namei_cleanup_cnp(cnp);
return (error);
}
}
@@ -278,8 +280,10 @@ namei(struct nameidata *ndp)
if (*(cnp->cn_nameptr) == '/') {
vrele(dp);
VFS_UNLOCK_GIANT(vfslocked);
- if (ndp->ni_strictrelative != 0)
+ if (ndp->ni_strictrelative != 0) {
+ namei_cleanup_cnp(cnp);
return (ENOTCAPABLE);
+ }
while (*(cnp->cn_nameptr) == '/') {
cnp->cn_nameptr++;
ndp->ni_pathlen--;
@@ -293,11 +297,7 @@ namei(struct nameidata *ndp)
ndp->ni_startdir = dp;
error = lookup(ndp);
if (error) {
- uma_zfree(namei_zone, cnp->cn_pnbuf);
-#ifdef DIAGNOSTIC
- cnp->cn_pnbuf = NULL;
- cnp->cn_nameptr = NULL;
-#endif
+ namei_cleanup_cnp(cnp);
SDT_PROBE(vfs, namei, lookup, return, error, NULL, 0,
0, 0);
return (error);
@@ -309,11 +309,7 @@ namei(struct nameidata *ndp)
*/
if ((cnp->cn_flags & ISSYMLINK) == 0) {
if ((cnp->cn_flags & (SAVENAME | SAVESTART)) == 0) {
- uma_zfree(namei_zone, cnp->cn_pnbuf);
-#ifdef DIAGNOSTIC
- cnp->cn_pnbuf = NULL;
- cnp->cn_nameptr = NULL;
-#endif
+ namei_cleanup_cnp(cnp);
} else
cnp->cn_flags |= HASBUF;
@@ -379,11 +375,7 @@ namei(struct nameidata *ndp)
vput(ndp->ni_vp);
dp = ndp->ni_dvp;
}
- uma_zfree(namei_zone, cnp->cn_pnbuf);
-#ifdef DIAGNOSTIC
- cnp->cn_pnbuf = NULL;
- cnp->cn_nameptr = NULL;
-#endif
+ namei_cleanup_cnp(cnp);
vput(ndp->ni_vp);
ndp->ni_vp = NULL;
vrele(ndp->ni_dvp);
Modified: stable/9/usr.sbin/rtsold/rtsol.c
==============================================================================
--- stable/9/usr.sbin/rtsold/rtsol.c Tue Oct 21 20:20:07 2014 (r273411)
+++ stable/9/usr.sbin/rtsold/rtsol.c Tue Oct 21 20:20:17 2014 (r273412)
@@ -933,7 +933,8 @@ dname_labeldec(char *dst, size_t dlen, c
dst_origin = dst;
memset(dst, '\0', dlen);
while (src && (len = (uint8_t)(*src++) & 0x3f) &&
- (src + len) <= src_last) {
+ (src + len) <= src_last &&
+ (dst - dst_origin < (ssize_t)dlen)) {
if (dst != dst_origin)
*dst++ = '.';
warnmsg(LOG_DEBUG, __func__, "labellen = %zd", len);
More information about the svn-src-stable-9
mailing list