Revised SA-16:37, addressing regressions from initial SA.

svn path=/head/; revision=49715
2016-12-08 03:59:23 +00:00 · 2016-12-08 03:59:23 +00:00 · 2dd1eb304f · 2020-12-08 03:00:23 +00:00
commit 2dd1eb304f
parent 366ff17d89
5 changed files with 130 additions and 54 deletions
--- a/share/security/advisories/FreeBSD-SA-16:37.libc.asc
+++ b/share/security/advisories/FreeBSD-SA-16:37.libc.asc
@ -9,22 +9,27 @@ Topic:          link_ntoa(3) buffer overflow
 Category:       core
 Module:         libc
-Announced:      2016-12-06
+Announced:      2016-12-06, revised on 2016-12-08
 Affects:        All supported versions of FreeBSD.
-Corrected:      2016-12-06 18:53:21 UTC (stable/11, 11.0-STABLE)
+Corrected:      2016-12-07 23:19:46 UTC (stable/11, 11.0-STABLE)
-                2016-12-06 18:49:38 UTC (releng/11.0, 11.0-RELEASE-p4)
+                2016-12-07 23:29:42 UTC (releng/11.0, 11.0-RELEASE-p5)
-                2016-12-06 18:53:46 UTC (stable/10, 10.3-STABLE)
+                2016-12-07 23:20:26 UTC (stable/10, 10.3-STABLE)
-                2016-12-06 18:49:48 UTC (releng/10.3, 10.3-RELEASE-p13)
+                2016-12-07 23:31:07 UTC (releng/10.3, 10.3-RELEASE-p14)
-                2016-12-06 18:49:54 UTC (releng/10.2, 10.2-RELEASE-p26)
+                2016-12-07 23:32:42 UTC (releng/10.2, 10.2-RELEASE-p27)
-                2016-12-06 18:49:59 UTC (releng/10.1, 10.1-RELEASE-p43)
+                2016-12-07 23:34:06 UTC (releng/10.1, 10.1-RELEASE-p44)
-                2016-12-06 18:54:04 UTC (stable/9, 9.3-STABLE)
+                2016-12-07 23:20:50 UTC (stable/9, 9.3-STABLE)
-                2016-12-06 18:50:06 UTC (releng/9.3, 9.3-RELEASE-p51)
+                2016-12-07 23:35:15 UTC (releng/9.3, 9.3-RELEASE-p52)
 CVE Name:       CVE-2016-6559
 For general information regarding FreeBSD Security Advisories,
 including descriptions of the fields above, security branches, and the
 following sections, please visit <URL:https://security.FreeBSD.org/>.
 0.   Revision history.
 v1.0  2016-12-06 Initial release.
 v1.1  2016-12-08 Revised patches to address regressions.
 I.   Background
 The link_ntoa(3) function generates ASCII representation of a link-level
@ -73,10 +78,21 @@ FreeBSD release branches.
 a) Download the relevant patch from the location below, and verify the
 detached PGP signature using your PGP utility.
 [*** v1.1 NOTE ***] If your sources are not yet patched using the initially
 published patch, then you need to apply libc.patch.  If your sources are
 already updated, or patched with patch from the initial advisory, then you
 need to apply the incremental patch, named libc-inc.patch.
 [FreeBSD system, not patched with initial SA-16:37 patch]
 # fetch https://security.FreeBSD.org/patches/SA-16:37/libc.patch
 # fetch https://security.FreeBSD.org/patches/SA-16:37/libc.patch.asc
 # gpg --verify libc.patch.asc
 [FreeBSD system, initial SA-16:37 patch already applied]
 # fetch https://security.FreeBSD.org/patches/SA-16:37/libc-inc.patch
 # fetch https://security.FreeBSD.org/patches/SA-16:37/libc-inc.patch.asc
 # gpg --verify libc-inc.patch.asc
 b) Apply the patch.  Execute the following commands as root:
 # cd /usr/src
@ -94,14 +110,14 @@ affected branch.
 Branch/path                                                      Revision
 - -------------------------------------------------------------------------
-stable/9/                                                         r309646
+stable/9/                                                         r309691
-releng/9.3/                                                       r309637
+releng/9.3/                                                       r309697
-stable/10/                                                        r309645
+stable/10/                                                        r309690
-releng/10.1/                                                      r309636
+releng/10.1/                                                      r309696
-releng/10.2/                                                      r309635
+releng/10.2/                                                      r309694
-releng/10.3/                                                      r309634
+releng/10.3/                                                      r309693
-stable/11/                                                        r309644
+stable/11/                                                        r309689
-releng/11.0/                                                      r309633
+releng/11.0/                                                      r309692
 - -------------------------------------------------------------------------
 To see which files were modified by a particular revision, run the
@ -118,22 +134,23 @@ VII. References
 <URL:http://www.kb.cert.org/vuls/id/548487>
 <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6559>
 <URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=215105>
 The latest revision of this advisory is available at
 <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:37.libc.asc>
 -----BEGIN PGP SIGNATURE-----
-iQIcBAEBCgAGBQJYRw1vAAoJEO1n7NZdz2rnk5sP/18NuTRoit3jfa1uHCYMyTOB
+iQIcBAEBCgAGBQJYSNoxAAoJEO1n7NZdz2rnQfQP/0oJ8WdTTVMpjEHRBQ7WbayB
-vOGtNtn5xs8NNY4wAdYx2cF3CscTZEWyQtXWsMWzXgbWI0KrWteacGDaDlFwraCu
+f7Y8MeVFErNLL8caQDxRyiF/ex07m5m2morik84ggDTkHiWnllaP0H3MadivP9Ly
-9/TJmkCQC5FCfYsgQFOpOPtMl9W+gY2ZrmEPXsfc/smjvIas3fPCBjnoRM2qQlfc
+XspViMU73r49PmYTAsrMARyW2ncufgGpsvaEcVOVKEAiwcm0ATu7gnTf+cyrfWoe
-25YIut+S6OFhm2XM42t/jljbLs6b/PJikeKt7kEEEjKKXWHNwLEYjbtEyelKxD1i
+k9HlTS18bN18zQ/FFSJPjmIsTh8Cb+cdF6SrVEt7bIcoVzZWMU/sDJP9JDnRFa3+
-1IBVe4Run2RajERg99yCznAGGvRo2hbGmnV59kDAilanJK+s3pzCOBFdnKyZd/2l
+o7bWDQg3kfA8k3XEzrL9FSO52Sr9jNslZGAaycFFQjxecgC/05mTbqPsJOpdhkaC
-Ie8B/fKEXRJyFgJF7A9eSuElTV5fCFfX05AC3PXMoi+GsVPQqhEpNb1FvJoANiFL
+mfcARX/8+iwxsE/3h7R5OK6vsu6piUE6vi8HsnTwK7ZMz/IYkPpe4C9WroRYAG29
-l61nbqkM5KEteIWvf1udHZo6kjhYY4YlvutXW7o41XaUhnaO3dC+4+VpfTycH/no
+mqBl+qdVElk/DXPgsz6F7PHqG3SUY3Kkn/bMGT4B3yLjNvWs4+pjh74uyvVLPKkQ
-j8kVFS1Y9oun31TTZ/+aQqnCfozAMKFaZtrZI3UkSR1kjz5Z5Rqrc4isBhXXP1dQ
+meQEs3VLl+c0VkpAxbieMS1KChJwBAKAD7Cevg83YfosC8/LFRoqS6kofjXjVqCd
-QC87THCyW2D1+E0LvMyJEWKtjGMd8OO5KZjvTxcmxDSrqEOn+yGT1Lp8G/NLuQ4D
+dd0cSWyOE6y/eFy2187lncnz1BNW1Eg8AEH02vEkXOI5hrnhmO6t0cH9dQcj3nHa
-zcarPPl2eE0bikvL/T/k7OdpplTDXoaCOHiMIr02WpbJwipw6HD4FZrg1IQu/Db9
+6yULqFHJJJGsGqPD1/FkXjn7hAMKsMMROCGpY0txNVA2a3Z6zf593nZL7Vr1nPy7
-2cHihr/tS1mbr7k/VKUyIZvQQhZ9j72m4wwBk0CFEG8DeZtMeSum1xgLTEjUerHe
+7C7/sKToSilR3OJGoSFxNlRHqkgb08dQOzsof/355M94baKw82QAULuQoOBYu0DU
-rWrKG2feWv//R0BvVNhu
+PZ21bNtGfZSN4rThyVuQ
-=8y53
+=Id1+
 -----END PGP SIGNATURE-----
--- a/share/security/patches/SA-16:37/libc-inc.patch
+++ b/share/security/patches/SA-16:37/libc-inc.patch
@ -0,0 +1,43 @@
 --- lib/libc/net/linkaddr.c.orig
 +++ lib/libc/net/linkaddr.c
@@ -125,7 +125,7 @@
 	static char obuf[64];
 	_Static_assert(sizeof(obuf) >= IFNAMSIZ + 20, "obuf is too small");
 	char *out;
 -	const char *in, *inlim;
 +	const u_char *in, *inlim;
 	int namelen, i, rem;
 	namelen = (sdl->sdl_nlen <= IFNAMSIZ) ? sdl->sdl_nlen : IFNAMSIZ;
@@ -142,11 +142,11 @@
 		}
 	}
 -	in = (const char *)sdl->sdl_data + sdl->sdl_nlen;
 +	in = (const u_char *)sdl->sdl_data + sdl->sdl_nlen;
 	inlim = in + sdl->sdl_alen;
 	while (in < inlim && rem > 1) {
 -		if (in != (const char *)sdl->sdl_data + sdl->sdl_nlen) {
 +		if (in != (const u_char *)sdl->sdl_data + sdl->sdl_nlen) {
 			*out++ = '.';
 			rem--;
 		}
@@ -154,15 +154,14 @@
 		if (i > 0xf) {
 			if (rem < 3)
 				break;
 +			*out++ = hexlist[i >> 4];
 			*out++ = hexlist[i & 0xf];
 -			i >>= 4;
 -			*out++ = hexlist[i];
 			rem -= 2;
 		} else {
 			if (rem < 2)
 				break;
 			*out++ = hexlist[i];
 -			rem++;
 +			rem--;
 		}
 	}
 	*out = 0;
--- a/share/security/patches/SA-16:37/libc-inc.patch.asc
+++ b/share/security/patches/SA-16:37/libc-inc.patch.asc
@ -0,0 +1,16 @@
 -----BEGIN PGP SIGNATURE-----
 iQIcBAABCgAGBQJYSNpCAAoJEO1n7NZdz2rnQhwQAIB9bWgYA4tn7fHwbpmEZrrz
 9clKJ+DUrINrgjD4R5J52b2vTirwSX+jLhwcblDcFz85VeoIc8xDPpd8rvFa9znC
 UZ2SBI0itfVZQkEGu+uEJE+9QdEr2jbwq1LIr3Ye3SECQJORlg11detvPEbNyDvm
 20DrfR+BPFvDSGKGEbKvegGaPUTv+MYXx3Km4jiXDB/Bo7lUjmE/mdIZszskzJpM
 AKx4moCR0Wep73vxGOhi2GArf+p4ZUe9eu0wdU/NTKzYH5DdjGnV+bNam2SdpgDT
 rMfrvpUJ+uqdZ1cj7yCsPjuKzskKdWihOCD+vHS3rC00ggYCQv5gnnnyo08z4qRE
 e0yU/4lj68i0X1E6gUIvATW7Y4r4EqX5xNl/nKfpgFQSqJRtZGbmlUH/7eni82Fh
 W3BKZsUyTtZJIod+SlmEloOlsqpRpL+ePSKXv5e0vLq6pr4tdLFFrPaKsi+6AbFO
 mfVSHGJIdB7WUaau34ymhpyb1SI1qrEoNNoYki6SNfuXsghgQKgghwl0cWpJEsUp
 Atg+BQH7ea2sPQh9BXqsiSiUb6wuyi/JHeuBQ4pQcKzyf7RuyxaA7rtr2p0w+UBG
 MRgceUP4H8XxCCltddq2WrNTB5dmac0t5ehYO8eJpQgtWPsl8yG5PldHkXWkhEa6
 gJVPBsoQJObVrkM/PXrl
 =/W0I
 -----END PGP SIGNATURE-----
--- a/share/security/patches/SA-16:37/libc.patch
+++ b/share/security/patches/SA-16:37/libc.patch
@ -8,7 +8,7 @@
 #include <net/if_dl.h>
 #include <string.h>
-@@ -122,31 +123,47 @@
+@@ -122,31 +123,46 @@
 link_ntoa(const struct sockaddr_dl *sdl)
 {
 	static char obuf[64];
@ -19,7 +19,7 @@
 -	int firsttime = 1;
 +	_Static_assert(sizeof(obuf) >= IFNAMSIZ + 20, "obuf is too small");
 +	char *out;
-+	const char *in, *inlim;
+	const u_char *in, *inlim;
 +	int namelen, i, rem;
 -	if (sdl->sdl_nlen) {
@ -44,31 +44,31 @@
 -			firsttime = 0;
 -		else
 +
-+	in = (const char *)sdl->sdl_data + sdl->sdl_nlen;
+	in = (const u_char *)sdl->sdl_data + sdl->sdl_nlen;
 +	inlim = in + sdl->sdl_alen;
 +
 +	while (in < inlim && rem > 1) {
-+		if (in != (const char *)sdl->sdl_data + sdl->sdl_nlen) {
+		if (in != (const u_char *)sdl->sdl_data + sdl->sdl_nlen) {
 			*out++ = '.';
 +			rem--;
 +		}
 		i = *in++;
 		if (i > 0xf) {
 -			out[1] = hexlist[i & 0xf];
-+			if (rem < 3)
+-			i >>= 4;
 +				break;
 +			*out++ = hexlist[i & 0xf];
 			i >>= 4;
 -			out[0] = hexlist[i];
 -			out += 2;
 -		} else
- 			*out++ = hexlist[i];
+			if (rem < 3)
 +				break;
 +			*out++ = hexlist[i >> 4];
 +			*out++ = hexlist[i & 0xf];
 +			rem -= 2;
 +		} else {
 +			if (rem < 2)
 +				break;
-+			*out++ = hexlist[i];
+ 			*out++ = hexlist[i];
-+			rem++;
+			rem--;
 +		}
 	}
 	*out = 0;
--- a/share/security/patches/SA-16:37/libc.patch.asc
+++ b/share/security/patches/SA-16:37/libc.patch.asc
@ -1,16 +1,16 @@
 -----BEGIN PGP SIGNATURE-----
-iQIcBAABCgAGBQJYRw1vAAoJEO1n7NZdz2rnH2QP/jQF/xtjDHJoEKk3h6DGZUC4
+iQIcBAABCgAGBQJYSNpCAAoJEO1n7NZdz2rn878P/Apo2QqeYGpvg35269V/BSL/
-GM27jneyYt/SWbGVHchYhD6y+67304OeUCZ7N6aEUI3cVgoZObDuVNoNrtfBnSPB
+jV42W8llFJ+5sxieWMgxTX3RxymwqhxZPQU6gFoBadnESWo/Z00mtNHygP7JIkDZ
-gTtAOUQchlF0ZP/TKZSrONz6Pz+1R/N9QryJSDYr3KUsLDuU6I2nob7kR+Iwxn1V
+SKmOBJl2uZDuZpXAwt2wpKqzYixBAzA19R7gxHI9nXU9CiAG4Ql+EAD99QbUZhPf
-pX8MakPMSOUH8tHHpXlQySN8rjobtiCdvulDyi0IX92Ajdq7fqLlu2oiHsMYdtfW
+CjELbPmYwdkt77QrRJXdUZd+vUV3QkvB/4B+eww+aoaG5pTZ1IVjO45PXQn4FDsW
-hzWahmHJZUFe0CqLc+78vGB5WTsIXcwSfrkq5MVy8hDlbtmFrgyXcReEBnXSw+kC
+04UNYlvgKXQCpEBDYKbsht1B75JCrlvgMpG0KBeDzVMtWxLcTtj8l4U4HH70N6Jx
-Y751w+W674Cck/60inzA3is7Iy84/yE0fGuBmFWPhOatTbVqI6dG+gK0CqlzW8g7
+OTcvyCuzRMNltKVEcl5j8HX8YbHq8cGSzdbtKXbCrP4BHGjNJpL9ZGZyZt0DpwI1
-M9ven4K9S9vO52oMSlQJi1VGx66r1P4+7RpiqIC6GFpBZ4ItEYvD4/SP3y75eIGD
+/vjij8ChpMUH9g+lrIGZF6WvXaY3L4OInldtUvBuYuVuJMiXiR2WuRJSzyMHVgxN
-LRSzV+LHJarwNslznAFWxg0rWoHbOhH2x0XT2Ve7rXXm4jzIMTL6LSczYlppQ6d2
+2+k3+wgkwPHwJ24UTu+pj0GJ/e7HdWTEUK+Ox6m/+ynj69jlRoUipf1JrFMCsBVh
-DBfyFHykY4iA0VbSBJYXueQrDHc4njJnr4Kl1ZSOZq9HhUbwVcVM0Wse+ZZJ7veQ
+BfoPZdYEXjy2Y8hAs4ybQvufFdBs/A7G+xHR4qgQ7XxnTaCTR3GObHAvp1ytHj19
-Xe83iqX6+bbRM8GFLtSw/mJa1h+TMW6N8T/qQXdokYCpVASLDnwfLinqkeC1mh+H
+J1nHjPoF7t9wq7ZBOXJNJGtZ4T1S5E5POtXQvxXm/pk+I9JqauESUDyBkhaStEJB
-Wr5kf9pbrBTLcnR/LRnVDZ9ySN6AaZdbLea+7RnPZ46MyQIG14yIvJMPk1LnQB9L
+O+g0cS3G51tJpcfhEnaNQnFeI20NIXkqeqGZSDdCMHXseWzJuWqux7xKICv0iA2x
-dO+RStwsKHuz2O37ENqi
+Sc88sLhCDB/Hu+VGm5DX
-=lrl6
+=hvSq
 -----END PGP SIGNATURE-----