git: ebd7ad28151b - stable/13 - hastd: Fix nv data size check
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 14 Aug 2025 16:03:15 UTC
The branch stable/13 has been updated by des:
URL: https://cgit.FreeBSD.org/src/commit/?id=ebd7ad28151b4e97f469aac94388a7ffbf4f3ab0
commit ebd7ad28151b4e97f469aac94388a7ffbf4f3ab0
Author: Dag-Erling Smørgrav <des@FreeBSD.org>
AuthorDate: 2025-08-06 13:49:37 +0000
Commit: Dag-Erling Smørgrav <des@FreeBSD.org>
CommitDate: 2025-08-14 14:00:06 +0000
hastd: Fix nv data size check
The data size check, as currently written, can be defeated by providing
a very large number that rounds up to 0, which will pass the check
(because zero plus the size of the header and name is smaller than the
size of the message) but cause a segfault later when used to index the
data array.
Rewrite the data size check to take rounding into account, and add a
cast to ensure the name size can't round up to zero.
MFC after: 1 week
PR: 266827
Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D51615
(cherry picked from commit 3caee2a93f235ebcfe3a8ec99eb2c3f3e5b0438f)
---
sbin/hastd/nv.c | 9 +++------
1 file changed, 3 insertions(+), 6 deletions(-)
diff --git a/sbin/hastd/nv.c b/sbin/hastd/nv.c
index fd6b56c1148d..4e50d0026e7b 100644
--- a/sbin/hastd/nv.c
+++ b/sbin/hastd/nv.c
@@ -98,7 +98,7 @@ struct nvhdr {
} __packed;
#define NVH_DATA(nvh) ((unsigned char *)nvh + NVH_HSIZE(nvh))
#define NVH_HSIZE(nvh) \
- (sizeof(struct nvhdr) + roundup2((nvh)->nvh_namesize, 8))
+ (sizeof(struct nvhdr) + roundup2((size_t)(nvh)->nvh_namesize, 8))
#define NVH_DSIZE(nvh) \
(((nvh)->nvh_type & NV_ORDER_MASK) == NV_ORDER_HOST ? \
(nvh)->nvh_dsize : \
@@ -248,11 +248,8 @@ nv_validate(struct nv *nv, size_t *extrap)
break;
}
dsize = NVH_DSIZE(nvh);
- if (dsize == 0) {
- error = EINVAL;
- break;
- }
- if (size < NVH_SIZE(nvh)) {
+ if (roundup2(dsize, 8) == 0 ||
+ roundup2(dsize, 8) > size - NVH_HSIZE(nvh)) {
error = EINVAL;
break;
}