rtsold: Validate entries in domain search lists

Reported by:	Kevin Day <kevin@your.org>
Approved by:	so
Security:	FreeBSD-SA-25:12.rtsold
Security:	CVE-2025-14558

(cherry picked from commit bf804f69dd94b3c98962618b4ad3b48a35bff2ff)

1 files changed, 40 insertions, 6 deletions

diff --git a/usr.sbin/rtsold/rtsol.c b/usr.sbin/rtsold/rtsol.c
index 187aa44f6740..72573c2eb4b0 100644
--- a/usr.sbin/rtsold/rtsol.c
+++ b/usr.sbin/rtsold/rtsol.c
@@ -764,6 +764,41 @@ call_script(const char *const argv[], struct script_msg_head_t *sm_head)
 		    argv[0], status);
 }
 
+#define	PERIOD 0x2e
+#define	hyphenchar(c) ((c) == 0x2d)
+#define	periodchar(c) ((c) == PERIOD)
+#define	alphachar(c) (((c) >= 0x41 && (c) <= 0x5a) || \
+	    ((c) >= 0x61 && (c) <= 0x7a))
+#define	digitchar(c) ((c) >= 0x30 && (c) <= 0x39)
+
+#define	borderchar(c) (alphachar(c) || digitchar(c))
+#define	middlechar(c) (borderchar(c) || hyphenchar(c))
+
+static int
+res_hnok(const char *dn)
+{
+	int pch = PERIOD, ch = *dn++;
+
+	while (ch != '\0') {
+		int nch = *dn++;
+
+		if (periodchar(ch)) {
+			;
+		} else if (periodchar(pch)) {
+			if (!borderchar(ch))
+				return (0);
+		} else if (periodchar(nch) || nch == '\0') {
+			if (!borderchar(ch))
+				return (0);
+		} else {
+			if (!middlechar(ch))
+				return (0);
+		}
+		pch = ch, ch = nch;
+	}
+	return (1);
+}
+
 /* Decode domain name label encoding in RFC 1035 Section 3.1 */
 static size_t
 dname_labeldec(char *dst, size_t dlen, const char *src)
@@ -792,12 +827,11 @@ dname_labeldec(char *dst, size_t dlen, const char *src)
 	}
 	*dst = '\0';
 
-	/*
-	 * XXX validate that domain name only contains valid characters
-	 * for two reasons: 1) correctness, 2) we do not want to pass
-	 * possible malicious, unescaped characters like `` to a script
-	 * or program that could be exploited that way.
-	 */
+	if (!res_hnok(dst_origin)) {
+		warnmsg(LOG_INFO, __func__,
+		    "invalid domain name '%s' was ignored", dst_origin);
+		return (0);
+	}
 
 	return (src - src_origin);
 }