The branch releng/14.0 has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=b219ce1c5a9349f3925daf994904d4891ad8bf9e
commit b219ce1c5a9349f3925daf994904d4891ad8bf9e Author: Mariusz Zaborski <[email protected]> AuthorDate: 2024-08-26 18:20:24 +0000 Commit: Ed Maste <[email protected]> CommitDate: 2024-09-04 20:48:29 +0000 libnv: verify that string is null terminated During unpacking, we ensure that we do not read beyond the declared size. However, unpack uses a function that copies null-terminated strings. Prior to this commit, if the last string was not null-terminated, it could result in copying data into a buffer smaller than the allocated size. Security: FreeBSD-24:09.libnv Security: CVE-2024-45288 Security: CAP-03 Reported by: Synacktiv Sponsored by: The Alpha-Omega Project Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D46138 (cherry picked from commit 3aaaca1b51ad844ef9e9b3d945217ab3dd189bae) (cherry picked from commit 9c2ef102166eaab4c2531eb0ce6ffb20b82e778a) Approved by: so --- sys/contrib/libnv/bsd_nvpair.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/sys/contrib/libnv/bsd_nvpair.c b/sys/contrib/libnv/bsd_nvpair.c index 9560ebc74f83..a977d7941aa3 100644 --- a/sys/contrib/libnv/bsd_nvpair.c +++ b/sys/contrib/libnv/bsd_nvpair.c @@ -988,6 +988,10 @@ nvpair_unpack_string_array(bool isbe __unused, nvpair_t *nvp, for (ii = 0; ii < nvp->nvp_nitems; ii++) { len = strnlen(tmp, size - 1) + 1; size -= len; + if (tmp[len - 1] != '\0') { + ERRNO_SET(EINVAL); + return (NULL); + } if (size < 0) { ERRNO_SET(EINVAL); return (NULL);
