git: 33b4e2361c82 - releng/13.3 - libnv: verify that string is null terminated
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 04 Sep 2024 20:29:40 UTC
The branch releng/13.3 has been updated by emaste:
URL: https://cgit.FreeBSD.org/src/commit/?id=33b4e2361c82b269d42c0d787e8900d1bde5de71
commit 33b4e2361c82b269d42c0d787e8900d1bde5de71
Author: Mariusz Zaborski <oshogbo@FreeBSD.org>
AuthorDate: 2024-08-26 18:20:24 +0000
Commit: Ed Maste <emaste@FreeBSD.org>
CommitDate: 2024-09-04 20:28:56 +0000
libnv: verify that string is null terminated
During unpacking, we ensure that we do not read beyond the
declared size. However, unpack uses a function that copies
null-terminated strings. Prior to this commit, if the last string
was not null-terminated, it could result in copying data into a
buffer smaller than the allocated size.
Security: FreeBSD-24:09.libnv
Security: CVE-2024-45288
Security: CAP-03
Reported by: Synacktiv
Sponsored by: The Alpha-Omega Project
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D46138
(cherry picked from commit 3aaaca1b51ad844ef9e9b3d945217ab3dd189bae)
(cherry picked from commit 03bef9971d73621e1703a0bad41b598bc2fce9c6)
Approved by: so
---
sys/contrib/libnv/bsd_nvpair.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/sys/contrib/libnv/bsd_nvpair.c b/sys/contrib/libnv/bsd_nvpair.c
index 41d262a18c9b..cfe168c38026 100644
--- a/sys/contrib/libnv/bsd_nvpair.c
+++ b/sys/contrib/libnv/bsd_nvpair.c
@@ -986,6 +986,10 @@ nvpair_unpack_string_array(bool isbe __unused, nvpair_t *nvp,
for (ii = 0; ii < nvp->nvp_nitems; ii++) {
len = strnlen(tmp, size - 1) + 1;
size -= len;
+ if (tmp[len - 1] != '\0') {
+ ERRNO_SET(EINVAL);
+ return (NULL);
+ }
if (size < 0) {
ERRNO_SET(EINVAL);
return (NULL);