upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-06-09 08:43:19 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

libnv: allocate buffer in a safe way

Browse source 
Ensure that the calculation of size of array doesn't
overflow.

Security:	FreeBSD-24:09.libnv
Security:	CVE-2024-45287
Security:	CAP-02
Reported by:	Synacktiv
Reported by:	Taylor R Campbell (NetBSD)
Sponsored by:	The Alpha-Omega Project
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D46131

(cherry picked from commit 36fa90dbde)
(cherry picked from commit 371af89975)

Approved by:	so
This commit is contained in:
Mariusz Zaborski 2024-08-26 20:10:25 +02:00 committed by Franco Fichtner
parent 9ed3372651
commit 3cdd9f1167
2 changed files with 15 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
sys/contrib/libnv/bsd_nvpair.c
View file

@ -999,7 +999,7 @@ nvpair_unpack_string_array(bool isbe __unused, nvpair_t *nvp,
return (NULL);
}
value = nv_malloc(sizeof(*value) * nvp->nvp_nitems);
value = nv_calloc(nvp->nvp_nitems, sizeof(*value));
if (value == NULL)
return (NULL);
@ -1092,7 +1092,7 @@ nvpair_unpack_nvlist_array(bool isbe __unused, nvpair_t *nvp,
return (NULL);
}
value = nv_malloc(nvp->nvp_nitems * sizeof(*value));
value = nv_calloc(nvp->nvp_nitems, sizeof(*value));
if (value == NULL)
return (NULL);
@ -1330,10 +1330,10 @@ nvpair_create_bool_array(const char *name, const bool *value, size_t nitems)
return (NULL);
}
size = sizeof(value[0]) * nitems;
data = nv_malloc(size);
data = nv_calloc(nitems, sizeof(value[0]));
if (data == NULL)
return (NULL);
size = sizeof(value[0]) * nitems;
memcpy(data, value, size);
nvp = nvpair_allocv(name, NV_TYPE_BOOL_ARRAY, (uint64_t)(uintptr_t)data,
@ -1360,10 +1360,10 @@ nvpair_create_number_array(const char *name, const uint64_t *value,
return (NULL);
}
size = sizeof(value[0]) * nitems;
data = nv_malloc(size);
data = nv_calloc(nitems, sizeof(value[0]));
if (data == NULL)
return (NULL);
size = sizeof(value[0]) * nitems;
memcpy(data, value, size);
nvp = nvpair_allocv(name, NV_TYPE_NUMBER_ARRAY,
@ -1393,7 +1393,7 @@ nvpair_create_string_array(const char *name, const char * const *value,
nvp = NULL;
datasize = 0;
data = nv_malloc(sizeof(value[0]) * nitems);
data = nv_calloc(nitems, sizeof(value[0]));
if (data == NULL)
return (NULL);
@ -1440,7 +1440,7 @@ nvpair_create_nvlist_array(const char *name, const nvlist_t * const *value,
return (NULL);
}
nvls = nv_malloc(sizeof(value[0]) * nitems);
nvls = nv_calloc(nitems, sizeof(value[0]));
if (nvls == NULL)
return (NULL);
@ -1507,7 +1507,7 @@ nvpair_create_descriptor_array(const char *name, const int *value,
nvp = NULL;
fds = nv_malloc(sizeof(value[0]) * nitems);
fds = nv_calloc(nitems, sizeof(value[0]));
if (fds == NULL)
return (NULL);
for (ii = 0; ii < nitems; ii++) {

8
sys/contrib/libnv/nvlist.c
View file

@ -758,7 +758,7 @@ nvlist_descriptors(const nvlist_t *nvl, size_t *nitemsp)
int *fds;
nitems = nvlist_ndescriptors(nvl);
fds = nv_malloc(sizeof(fds[0]) * (nitems + 1));
fds = nv_calloc(nitems + 1, sizeof(fds[0]));
if (fds == NULL)
return (NULL);
if (nitems > 0)
@ -1029,6 +1029,10 @@ static bool
nvlist_check_header(struct nvlist_header *nvlhdrp)
{
if (nvlhdrp->nvlh_size > SIZE_MAX - sizeof(nvlhdrp)) {
ERRNO_SET(EINVAL);
return (false);
}
if (nvlhdrp->nvlh_magic != NVLIST_HEADER_MAGIC) {
ERRNO_SET(EINVAL);
return (false);
@ -1313,7 +1317,7 @@ nvlist_recv(int sock, int flags)
goto out;
if (nfds > 0) {
fds = nv_malloc(nfds * sizeof(fds[0]));
fds = nv_calloc(nfds, sizeof(fds[0]));
if (fds == NULL)
goto out;
if (fd_recv(sock, fds, nfds) == -1)