upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-05-28 04:12:45 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
opnsense-src/sys/contrib/libnv
History
Mariusz Zaborski 7b7e6d7376 libnv: fix heap overflow in nvlist_recv() 
nvlist_check_header() validated nvlh_size for overflow before
performing conversion. An mallicous user can set
NV_FLAG_BIG_ENDIAN in the header and craft nvlh_size so that
the orginall value passes the check, but after the conversion the
sizeof(nvlist_header) + size can overflow.
This can lead to a heap buffer overflow.

Approved by:	so
Security:	FreeBSD-SA-26:17.libnv
Security:	CVE-2026-35547
Fixes:		36fa90dbde0060aacb5677d0b113ee168e839071
Reviewed by:	markj
Differential Revision:	https://reviews.freebsd.org/D56342
2026-04-29 22:15:06 +02:00
..
bsd_nvpair.c libnv: verify that string is null terminated 2024-09-04 14:26:05 +02:00
cnvlist.c spdx: The BSD-2-Clause-FreeBSD identifier is obsolete, drop -FreeBSD 2023-05-12 10:44:03 -06:00
dnvlist.c spdx: The BSD-2-Clause-FreeBSD identifier is obsolete, drop -FreeBSD 2023-05-12 10:44:03 -06:00
nv_impl.h libnv: add tests to verify potential overflow issues 2026-04-29 22:14:59 +02:00
nvlist.c libnv: fix heap overflow in nvlist_recv() 2026-04-29 22:15:06 +02:00
nvlist_impl.h spdx: The BSD-2-Clause-FreeBSD identifier is obsolete, drop -FreeBSD 2023-05-12 10:44:03 -06:00
nvpair_impl.h spdx: The BSD-2-Clause-FreeBSD identifier is obsolete, drop -FreeBSD 2023-05-12 10:44:03 -06:00