diff options
| author | Mark Johnston <markj@FreeBSD.org> | 2026-03-24 02:12:42 +0000 |
|---|---|---|
| committer | Gordon Tetlow <gordon@FreeBSD.org> | 2026-03-26 01:11:54 +0000 |
| commit | 143293c14f8de00c6d3de88cd23fc224e7014206 (patch) | |
| tree | 9c3672cf4c2c7263c948d1abc01d445df588bd15 /usr.sbin/pc-sysinstall/examples/(developers-only) | |
| parent | 6b2d6ccad2552e46a5c9c3ba70b2d0ed27c70ca8 (diff) | |
svc_rpc_gss_validate() copies the input message into a stack buffer
without ensuring that the buffer is large enough. Sure enough,
oa_length may be up to 400 bytes, much larger than the provided space.
This enables an unauthenticated user to trigger an overflow and obtain
remote code execution.
Add a runtime check which verifies that the copy won't overflow.
Approved by: so
Security: FreeBSD-SA-26:08.rpcsec_gss
Security: CVE-2026-4747
Reported by: Nicholas Carlini <npc@anthropic.com>
Reviewed by: rmacklem
Fixes: a9148abd9da5d
Diffstat (limited to 'usr.sbin/pc-sysinstall/examples/(developers-only)')
0 files changed, 0 insertions, 0 deletions