git: 6316ab68d331 - releng/14.4 - ngctl: Check hook name length

Tue, 17 Feb 2026 17:53:38 -0800 

The branch releng/14.4 has been updated by cperciva:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=6316ab68d331098749ad1eac63a183a4c9ccda3c

commit 6316ab68d331098749ad1eac63a183a4c9ccda3c
Author:     Dag-Erling Smørgrav <[email protected]>
AuthorDate: 2026-02-13 15:57:46 +0000
Commit:     Colin Percival <[email protected]>
CommitDate: 2026-02-18 01:48:33 +0000

    ngctl: Check hook name length
    
    Check the length of the hook name when copying it into the sockaddr.
    
    MFC after:      1 week
    Reviewed by:    markj
    Differential Revision:  https://reviews.freebsd.org/D55258
    
    (cherry picked from commit 585190dff436eeea3be97300e36c82559028d3dd)
    (cherry picked from commit 71c0f48ab19fbac3d93e29d8964db2f215ddf722)
---
 usr.sbin/ngctl/write.c | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/usr.sbin/ngctl/write.c b/usr.sbin/ngctl/write.c
index 1e86963fb39c..7ee8dcfaa241 100644
--- a/usr.sbin/ngctl/write.c
+++ b/usr.sbin/ngctl/write.c
@@ -35,10 +35,12 @@
 #include <sys/socket.h>
 
 #include <err.h>
+#include <stddef.h>
 #include <stdio.h>
 #include <string.h>
 #include <unistd.h>
 
+#include <netgraph/ng_message.h>
 #include <netgraph/ng_socket.h>
 
 #include "ngctl.h"
@@ -63,6 +65,7 @@ WriteCmd(int ac, char **av)
        struct sockaddr_ng *sag = (struct sockaddr_ng *)sagbuf;
        u_char buf[BUF_SIZE];
        const char *hook;
+       size_t hooklen;
        FILE *fp;
        u_int len;
        int byte;
@@ -72,6 +75,14 @@ WriteCmd(int ac, char **av)
        if (ac < 3)
                return (CMDRTN_USAGE);
        hook = av[1];
+       _Static_assert(sizeof(sagbuf) >=
+           offsetof(struct sockaddr_ng, sg_data) + NG_HOOKSIZ,
+           "sagbuf is too small for NG_HOOKSIZ");
+       hooklen = strlcpy(sag->sg_data, hook, NG_HOOKSIZ);
+       if (hooklen >= NG_HOOKSIZ) {
+               warnx("hook name \"%s\" too long", hook);
+               return (CMDRTN_ERROR);
+       }
 
        /* Get data */
        if (strcmp(av[2], "-f") == 0) {
@@ -104,11 +115,10 @@ WriteCmd(int ac, char **av)
        }
 
        /* Send data */
-       sag->sg_len = 3 + strlen(hook);
+       sag->sg_len = 3 + hooklen;
        sag->sg_family = AF_NETGRAPH;
-       strlcpy(sag->sg_data, hook, sizeof(sagbuf) - 2);
-       if (sendto(dsock, buf, len,
-           0, (struct sockaddr *)sag, sag->sg_len) == -1) {
+       if (sendto(dsock, buf, len, 0, (struct sockaddr *)sag,
+           sag->sg_len) < 0) {
                warn("writing to hook \"%s\"", hook);
                return (CMDRTN_ERROR);
        }

Reply via email to