From c4f11a127652779ac3804b8bfaeb83b0f4b24955 Mon Sep 17 00:00:00 2001 From: tobhe Date: Tue, 10 Oct 2023 16:16:16 +0000 Subject: [PATCH] Print at most pkgsize - hdrsize bytes for pfkey tag and identity to prevent out-of-bounds read in strlen(). ok tb@ --- sbin/ipsecctl/pfkdump.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/sbin/ipsecctl/pfkdump.c b/sbin/ipsecctl/pfkdump.c index 9bd728398de..60da11b6534 100644 --- a/sbin/ipsecctl/pfkdump.c +++ b/sbin/ipsecctl/pfkdump.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkdump.c,v 1.57 2023/08/07 04:10:08 dlg Exp $ */ +/* $OpenBSD: pfkdump.c,v 1.58 2023/10/10 16:16:16 tobhe Exp $ */ /* * Copyright (c) 2003 Markus Friedl. All rights reserved. @@ -406,9 +406,11 @@ print_tag(struct sadb_ext *ext, struct sadb_msg *msg, int opts) { struct sadb_x_tag *stag = (struct sadb_x_tag *)ext; char *p; + int plen; p = (char *)(stag + 1); - printf("%s", p); + plen = stag->sadb_x_tag_len * 8 - sizeof(*stag); + printf("%.*s", plen, p); } static void @@ -590,10 +592,12 @@ static void print_ident(struct sadb_ext *ext, struct sadb_msg *msg, int opts) { struct sadb_ident *ident = (struct sadb_ident *)ext; + int ilen; - printf("type %s id %llu: %s", + ilen = ident->sadb_ident_len * 8 - sizeof(*ident); + printf("type %s id %llu: %.*s", lookup_name(identity_types, ident->sadb_ident_type), - ident->sadb_ident_id, (char *)(ident + 1)); + ident->sadb_ident_id, ilen, (char *)(ident + 1)); } static void -- 2.20.1