git: bf804f69dd94 - main - rtsold: Validate entries in domain search lists

Tue, 16 Dec 2025 15:39:31 -0800 

The branch main has been updated by markj:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=bf804f69dd94b3c98962618b4ad3b48a35bff2ff

commit bf804f69dd94b3c98962618b4ad3b48a35bff2ff
Author:     Mark Johnston <[email protected]>
AuthorDate: 2025-12-15 20:50:08 +0000
Commit:     Mark Johnston <[email protected]>
CommitDate: 2025-12-16 23:38:48 +0000

    rtsold: Validate entries in domain search lists
    
    Reported by:    Kevin Day <[email protected]>
    Approved by:    so
    Security:       FreeBSD-SA-25:12.rtsold
    Security:       CVE-2025-14558
---
 usr.sbin/rtsold/rtsol.c | 46 ++++++++++++++++++++++++++++++++++++++++------
 1 file changed, 40 insertions(+), 6 deletions(-)

diff --git a/usr.sbin/rtsold/rtsol.c b/usr.sbin/rtsold/rtsol.c
index 79928932ca5c..a7d5a44a7d44 100644
--- a/usr.sbin/rtsold/rtsol.c
+++ b/usr.sbin/rtsold/rtsol.c
@@ -776,6 +776,41 @@ call_script(const char *const argv[], struct 
script_msg_head_t *sm_head)
                    argv[0], status);
 }
 
+#define        PERIOD 0x2e
+#define        hyphenchar(c) ((c) == 0x2d)
+#define        periodchar(c) ((c) == PERIOD)
+#define        alphachar(c) (((c) >= 0x41 && (c) <= 0x5a) || \
+           ((c) >= 0x61 && (c) <= 0x7a))
+#define        digitchar(c) ((c) >= 0x30 && (c) <= 0x39)
+
+#define        borderchar(c) (alphachar(c) || digitchar(c))
+#define        middlechar(c) (borderchar(c) || hyphenchar(c))
+
+static int
+res_hnok(const char *dn)
+{
+       int pch = PERIOD, ch = *dn++;
+
+       while (ch != '\0') {
+               int nch = *dn++;
+
+               if (periodchar(ch)) {
+                       ;
+               } else if (periodchar(pch)) {
+                       if (!borderchar(ch))
+                               return (0);
+               } else if (periodchar(nch) || nch == '\0') {
+                       if (!borderchar(ch))
+                               return (0);
+               } else {
+                       if (!middlechar(ch))
+                               return (0);
+               }
+               pch = ch, ch = nch;
+       }
+       return (1);
+}
+
 /* Decode domain name label encoding in RFC 1035 Section 3.1 */
 static size_t
 dname_labeldec(char *dst, size_t dlen, const char *src)
@@ -804,12 +839,11 @@ dname_labeldec(char *dst, size_t dlen, const char *src)
        }
        *dst = '\0';
 
-       /*
-        * XXX validate that domain name only contains valid characters
-        * for two reasons: 1) correctness, 2) we do not want to pass
-        * possible malicious, unescaped characters like `` to a script
-        * or program that could be exploited that way.
-        */
+       if (!res_hnok(dst_origin)) {
+               warnmsg(LOG_INFO, __func__,
+                   "invalid domain name '%s' was ignored", dst_origin);
+               return (0);
+       }
 
        return (src - src_origin);
 }

Reply via email to