git: f268f95955f5 - main - libutil: avoid an out-of-bounds read in trimdomain(3)

Tue, 03 Mar 2026 14:51:20 -0800 

The branch main has been updated by kevans:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=f268f95955f5f0f91f4d39e13bcd69a24e0d8ce4

commit f268f95955f5f0f91f4d39e13bcd69a24e0d8ce4
Author:     Kyle Evans <[email protected]>
AuthorDate: 2026-03-03 22:51:02 +0000
Commit:     Kyle Evans <[email protected]>
CommitDate: 2026-03-03 22:51:02 +0000

    libutil: avoid an out-of-bounds read in trimdomain(3)
    
    memchr(3) will happily believe we've passed in a valid object, but
    hostsize could easily exceed the bounds of fullhost.  Clamp it down to
    the string size to be safe and avoid UB.  This plugs a potential
    overread noted in the compat shim that was just added.
    
    Reviewed by:    des
    Sponsored by:   Klara, Inc.
    Differential Revision:  https://reviews.freebsd.org/D54623
---
 lib/libutil/tests/trimdomain_test.c | 4 +++-
 lib/libutil/trimdomain.c            | 6 ++++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/lib/libutil/tests/trimdomain_test.c 
b/lib/libutil/tests/trimdomain_test.c
index ad5b92b0ce1e..c6305fa72ae9 100644
--- a/lib/libutil/tests/trimdomain_test.c
+++ b/lib/libutil/tests/trimdomain_test.c
@@ -78,11 +78,13 @@ int
 main(void)
 {
 
-       printf("1..5\n");
+       printf("1..6\n");
 
        testit(TESTFQDN, -1, TESTHOST, "self");
        testit("XXX" TESTDOMAIN, -1, "XXX", "different host, same domain");
        testit("XXX" TESTDOMAIN, 1, NULL, "short hostsize");
+       testit("XXX" TESTDOMAIN, strlen(TESTDOMAIN) + 256, "XXX",
+           "long hostsize");
        testit("bogus.example.net", -1, NULL, "arbitrary host");
        testit("XXX." TESTFQDN, -1, NULL, "domain is local hostname");
 
diff --git a/lib/libutil/trimdomain.c b/lib/libutil/trimdomain.c
index 47297817a76f..a4d53deaa216 100644
--- a/lib/libutil/trimdomain.c
+++ b/lib/libutil/trimdomain.c
@@ -73,6 +73,12 @@ trimdomain(char *fullhost, size_t hostsize)
        if (domain[0] == '\0')
                return;
 
+       /*
+        * Clamp hostsize down if it's out-of-bounds of fullhost, to avoid any
+        * kind of out-of-bounds read in the below memchr().
+        */
+       hostsize = strnlen(fullhost, hostsize);
+
        s = fullhost;
        end = s + hostsize + 1;
        if ((s = memchr(s, '.', (size_t)(end - s))) != NULL) {

Reply via email to