Problem Description:
Two bugs exist in rtsold(8)'s RDNSS and DNSSL option handling.
First, rtsold(8) failed to perform sufficient bounds checking on the
extent of the option. In particular, it does not verify that the
option does not extend past the end of the received packet before
processing its contents. The kernel currently ignores such
malformed packets but still passes them to userspace programs.
Second, when processing a DNSSL option, rtsold(8) decodes domain
name labels per an encoding specified in RFC 1035 in which the first
octet of each label contains the label's length. rtsold(8) did not
validate label lengths correctly and could overflow the destination
buffer.
Impact:
It is believed that these bugs could be exploited to gain remote
code execution within the rtsold(8) daemon, which runs as root.
Note that rtsold(8) only processes messages received from hosts
attached to the same physical link as the interface(s) on which
rtsold(8) is listening.
In FreeBSD 12.2 rtsold(8) runs in a Capsicum sandbox, limiting the
scope of a compromised rtsold(8) process.