git: 3aaaca1b51ad - main - libnv: verify that string is null terminated

From: Mariusz Zaborski <oshogbo_at_FreeBSD.org>
Date: Wed, 04 Sep 2024 12:22:29 UTC
The branch main has been updated by oshogbo:

URL: https://cgit.FreeBSD.org/src/commit/?id=3aaaca1b51ad844ef9e9b3d945217ab3dd189bae

commit 3aaaca1b51ad844ef9e9b3d945217ab3dd189bae
Author:     Mariusz Zaborski <oshogbo@FreeBSD.org>
AuthorDate: 2024-08-26 18:20:24 +0000
Commit:     Mariusz Zaborski <oshogbo@FreeBSD.org>
CommitDate: 2024-09-04 11:42:55 +0000

    libnv: verify that string is null terminated
    
    During unpacking, we ensure that we do not read beyond the
    declared size. However, unpack uses a function that copies
    null-terminated strings. Prior to this commit, if the last string
    was not null-terminated, it could result in copying data into a
    buffer smaller than the allocated size.
    
    Security:       FreeBSD-24:09.libnv
    Security:       CVE-2024-45288
    Security:       CAP-03
    Reported by:    Synacktiv
    Sponsored by:   The Alpha-Omega Project
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D46138
---
 sys/contrib/libnv/bsd_nvpair.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/sys/contrib/libnv/bsd_nvpair.c b/sys/contrib/libnv/bsd_nvpair.c
index 9560ebc74f83..a977d7941aa3 100644
--- a/sys/contrib/libnv/bsd_nvpair.c
+++ b/sys/contrib/libnv/bsd_nvpair.c
@@ -988,6 +988,10 @@ nvpair_unpack_string_array(bool isbe __unused, nvpair_t *nvp,
 	for (ii = 0; ii < nvp->nvp_nitems; ii++) {
 		len = strnlen(tmp, size - 1) + 1;
 		size -= len;
+		if (tmp[len - 1] != '\0') {
+			ERRNO_SET(EINVAL);
+			return (NULL);
+		}
 		if (size < 0) {
 			ERRNO_SET(EINVAL);
 			return (NULL);