The branch main has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=937693fc9e4ff4045cc674a14902f0d53e84ec98
commit 937693fc9e4ff4045cc674a14902f0d53e84ec98 Author: Mark Johnston <[email protected]> AuthorDate: 2025-10-15 20:15:08 +0000 Commit: Mark Johnston <[email protected]> CommitDate: 2025-10-15 20:15:08 +0000 libnv: Fix a length check in nvpair_unpack_string_array() A string array is represented by a set of nul-terminated strings concatenated together. For each string, we check to see if there's a nul terminator at the end, taking care to avoid going past the end of the buffer. However, the code fails to handle the possibility that size == 0 at the end of an iteration, leading to underflow. Fix the length check. Reported by: Ilja van Sprundel <[email protected]> Reviewed by: emaste MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D53069 --- sys/contrib/libnv/bsd_nvpair.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/sys/contrib/libnv/bsd_nvpair.c b/sys/contrib/libnv/bsd_nvpair.c index c73bc2189121..b884dd260b84 100644 --- a/sys/contrib/libnv/bsd_nvpair.c +++ b/sys/contrib/libnv/bsd_nvpair.c @@ -985,13 +985,13 @@ nvpair_unpack_string_array(bool isbe __unused, nvpair_t *nvp, size = nvp->nvp_datasize; tmp = (const char *)ptr; for (ii = 0; ii < nvp->nvp_nitems; ii++) { - len = strnlen(tmp, size - 1) + 1; - size -= len; - if (tmp[len - 1] != '\0') { + if (size <= 0) { ERRNO_SET(EINVAL); return (NULL); } - if (size < 0) { + len = strnlen(tmp, size - 1) + 1; + size -= len; + if (tmp[len - 1] != '\0') { ERRNO_SET(EINVAL); return (NULL); }
