FreeBSD: VID-e2748c9d-3483-11eb-b87a-901b0ef719ab (CVE-2020-25577): FreeBSD -- Multiple vulnerabilities in rtsold

Problem Description: Two bugs exist in rtsold(8)'s RDNSS and DNSSL option handling. First, rtsold(8) failed to perform sufficient bounds checking on the extent of the option. In particular, it does not verify that the option does not extend past the end of the received packet before processing its contents. The kernel currently ignores such malformed packets but still passes them to userspace programs. Second, when processing a DNSSL option, rtsold(8) decodes domain name labels per an encoding specified in RFC 1035 in which the first octet of each label contains the label's length. rtsold(8) did not validate label lengths correctly and could overflow the destination buffer. Impact: It is believed that these bugs could be exploited to gain remote code execution within the rtsold(8) daemon, which runs as root. Note that rtsold(8) only processes messages received from hosts attached to the same physical link as the interface(s) on which rtsold(8) is listening. In FreeBSD 12.2 rtsold(8) runs in a Capsicum sandbox, limiting the scope of a compromised rtsold(8) process.