Module Name: src
Committed By: martin
Date: Thu Sep 5 10:12:31 UTC 2024
Modified Files:
src/sys/external/bsd/libnv/dist [netbsd-9]: nvpair.c
Log Message:
Pull up following revision(s) (requested by riastradh in ticket #1885):
sys/external/bsd/libnv/dist/nvpair.c: revision 1.13
libnv: Check for NUL within bounds when unpacking string arrays.
This avoids buffer overrun in the subsequent nv_strdup, which can be
triggered by root at securelevel 1 via ioctl(IOC_NPF_*) on /dev/npf.
Matches upstream FreeBSD change by Mariusz Zaborski.
CVE-2024-45288
PR security/58652: libnv: Integer overflow and buffer overrun
vulnerabilities
To generate a diff of this commit:
cvs rdiff -u -r1.11 -r1.11.2.1 src/sys/external/bsd/libnv/dist/nvpair.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/external/bsd/libnv/dist/nvpair.c
diff -u src/sys/external/bsd/libnv/dist/nvpair.c:1.11 src/sys/external/bsd/libnv/dist/nvpair.c:1.11.2.1
--- src/sys/external/bsd/libnv/dist/nvpair.c:1.11 Wed Jul 24 14:25:56 2019
+++ src/sys/external/bsd/libnv/dist/nvpair.c Thu Sep 5 10:12:31 2024
@@ -1,4 +1,4 @@
-/* $NetBSD: nvpair.c,v 1.11 2019/07/24 14:25:56 martin Exp $ */
+/* $NetBSD: nvpair.c,v 1.11.2.1 2024/09/05 10:12:31 martin Exp $ */
/*-
* SPDX-License-Identifier: BSD-2-Clause-FreeBSD
@@ -36,7 +36,7 @@
#ifdef __FreeBSD__
__FBSDID("$FreeBSD: head/sys/contrib/libnv/nvpair.c 335382 2018-06-19 18:43:02Z lwhsu $");
#else
-__RCSID("$NetBSD: nvpair.c,v 1.11 2019/07/24 14:25:56 martin Exp $");
+__RCSID("$NetBSD: nvpair.c,v 1.11.2.1 2024/09/05 10:12:31 martin Exp $");
#endif
#include <sys/param.h>
@@ -1008,6 +1008,10 @@ nvpair_unpack_string_array(bool isbe __u
for (ii = 0; ii < nvp->nvp_nitems; ii++) {
len = strnlen(tmp, size - 1) + 1;
size -= len;
+ if (tmp[len - 1] != '\0') {
+ ERRNO_SET(EINVAL);
+ return (NULL);
+ }
if (size < 0) {
ERRNO_SET(EINVAL);
return (NULL);
