diff options
| author | Dag-Erling Smørgrav <des@FreeBSD.org> | 2026-02-13 15:57:50 +0000 |
|---|---|---|
| committer | Dag-Erling Smørgrav <des@FreeBSD.org> | 2026-02-13 15:57:58 +0000 |
| commit | 59906a163e474c8d00bdebe226c4d47332b91bad (patch) | |
| tree | 9be35a87c254aeed0b2c6d06dd929fe676b90213 | |
| parent | 585190dff436eeea3be97300e36c82559028d3dd (diff) | |
ngctl: Fix buffer overflow in config command
Keep track of our buffer length when assembling the argument list.
PR: 293075
MFC after: 1 week
Reviewed by: zlei, markj
Differential Revision: https://reviews.freebsd.org/D55259
| -rw-r--r-- | usr.sbin/ngctl/config.c | 22 |
1 files changed, 14 insertions, 8 deletions
diff --git a/usr.sbin/ngctl/config.c b/usr.sbin/ngctl/config.c index 25cd841494d1..0c9096738efa 100644 --- a/usr.sbin/ngctl/config.c +++ b/usr.sbin/ngctl/config.c @@ -62,7 +62,7 @@ ConfigCmd(int ac, char **av) struct ng_mesg *const resp = (struct ng_mesg *) sbuf; char *const status = (char *) resp->data; char *path; - char buf[NG_TEXTRESPONSE]; + char buf[NG_TEXTRESPONSE], *pos, *end; int nostat = 0, i; /* Get arguments */ @@ -70,20 +70,26 @@ ConfigCmd(int ac, char **av) return (CMDRTN_USAGE); path = av[1]; - *buf = '\0'; + pos = buf; + end = buf + sizeof(buf); for (i = 2; i < ac; i++) { - if (i != 2) - strcat(buf, " "); - strcat(buf, av[i]); + if (i > 2) { + if (pos == end) + return (CMDRTN_USAGE); + *pos++ = ' '; + } + if ((pos += strlcpy(pos, av[i], end - pos)) >= end) + return (CMDRTN_USAGE); } - + *pos = '\0'; + /* Get node config summary */ if (*buf != '\0') i = NgSendMsg(csock, path, NGM_GENERIC_COOKIE, - NGM_TEXT_CONFIG, buf, strlen(buf) + 1); + NGM_TEXT_CONFIG, buf, pos - buf + 1); else i = NgSendMsg(csock, path, NGM_GENERIC_COOKIE, - NGM_TEXT_CONFIG, NULL, 0); + NGM_TEXT_CONFIG, NULL, 0); if (i < 0) { switch (errno) { case EINVAL: |