libutil: avoid an out-of-bounds read in trimdomain(3)

memchr(3) will happily believe we've passed in a valid object, but
hostsize could easily exceed the bounds of fullhost.  Clamp it down to
the string size to be safe and avoid UB.  This plugs a potential
overread noted in the compat shim that was just added.

Reviewed by:	des
Sponsored by:	Klara, Inc.
Differential Revision:	https://reviews.freebsd.org/D54623

2 files changed, 9 insertions, 1 deletions

diff --git a/lib/libutil/tests/trimdomain_test.c b/lib/libutil/tests/trimdomain_test.c
index ad5b92b0ce1e..c6305fa72ae9 100644
--- a/lib/libutil/tests/trimdomain_test.c
+++ b/lib/libutil/tests/trimdomain_test.c
@@ -78,11 +78,13 @@ int
 main(void)
 {
 
-	printf("1..5\n");
+	printf("1..6\n");
 
 	testit(TESTFQDN, -1, TESTHOST, "self");
 	testit("XXX" TESTDOMAIN, -1, "XXX", "different host, same domain");
 	testit("XXX" TESTDOMAIN, 1, NULL, "short hostsize");
+	testit("XXX" TESTDOMAIN, strlen(TESTDOMAIN) + 256, "XXX",
+	    "long hostsize");
 	testit("bogus.example.net", -1, NULL, "arbitrary host");
 	testit("XXX." TESTFQDN, -1, NULL, "domain is local hostname");
 
diff --git a/lib/libutil/trimdomain.c b/lib/libutil/trimdomain.c
index 47297817a76f..a4d53deaa216 100644
--- a/lib/libutil/trimdomain.c
+++ b/lib/libutil/trimdomain.c
@@ -73,6 +73,12 @@ trimdomain(char *fullhost, size_t hostsize)
 	if (domain[0] == '\0')
 		return;
 
+	/*
+	 * Clamp hostsize down if it's out-of-bounds of fullhost, to avoid any
+	 * kind of out-of-bounds read in the below memchr().
+	 */
+	hostsize = strnlen(fullhost, hostsize);
+
 	s = fullhost;
 	end = s + hostsize + 1;
 	if ((s = memchr(s, '.', (size_t)(end - s))) != NULL) {