upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-05-28 04:12:45 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

libnv: verify that string is null terminated

Browse source 
During unpacking, we ensure that we do not read beyond the
declared size. However, unpack uses a function that copies
null-terminated strings. Prior to this commit, if the last string
was not null-terminated, it could result in copying data into a
buffer smaller than the allocated size.

Security:       FreeBSD-24:09.libnv
Security:       CVE-2024-45288
Security:       CAP-03
Reported by:    Synacktiv
Sponsored by:   The Alpha-Omega Project
Sponsored by:   The FreeBSD Foundation
Differential Revision:  https://reviews.freebsd.org/D46138

(cherry picked from commit 3aaaca1b51ad844ef9e9b3d945217ab3dd189bae)
(cherry picked from commit 9c2ef10216)

Approved by:	so
This commit is contained in:
Mariusz Zaborski 2024-08-26 20:20:24 +02:00 committed by Franco Fichtner
parent 3cdd9f1167
commit 3078dad2f2
1 changed files with 4 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
sys/contrib/libnv/bsd_nvpair.c
View file

@ -988,6 +988,10 @@ nvpair_unpack_string_array(bool isbe __unused, nvpair_t *nvp,
for (ii = 0; ii < nvp->nvp_nitems; ii++) {
len = strnlen(tmp, size - 1) + 1;
size -= len;
if (tmp[len - 1] != '\0') {
ERRNO_SET(EINVAL);
return (NULL);
}
if (size < 0) {
ERRNO_SET(EINVAL);
return (NULL);