git: f7f48005fbe2 - releng/13.5 - libnv: fix heap overflow in nvlist_recv()
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 29 Apr 2026 14:50:22 UTC
The branch releng/13.5 has been updated by markj:
URL: https://cgit.FreeBSD.org/src/commit/?id=f7f48005fbe256e3af42db3cc5ad33b140050f03
commit f7f48005fbe256e3af42db3cc5ad33b140050f03
Author: Mariusz Zaborski <oshogbo@FreeBSD.org>
AuthorDate: 2026-04-28 14:36:09 +0000
Commit: Mark Johnston <markj@FreeBSD.org>
CommitDate: 2026-04-28 20:32:11 +0000
libnv: fix heap overflow in nvlist_recv()
nvlist_check_header() validated nvlh_size for overflow before
performing conversion. An mallicous user can set
NV_FLAG_BIG_ENDIAN in the header and craft nvlh_size so that
the orginall value passes the check, but after the conversion the
sizeof(nvlist_header) + size can overflow.
This can lead to a heap buffer overflow.
Approved by: so
Security: FreeBSD-SA-26:17.libnv
Security: CVE-2026-35547
Fixes: 36fa90dbde0060aacb5677d0b113ee168e839071
Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D56342
---
sys/contrib/libnv/nvlist.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/sys/contrib/libnv/nvlist.c b/sys/contrib/libnv/nvlist.c
index 6934da0df00a..721332247b38 100644
--- a/sys/contrib/libnv/nvlist.c
+++ b/sys/contrib/libnv/nvlist.c
@@ -1029,10 +1029,6 @@ static bool
nvlist_check_header(struct nvlist_header *nvlhdrp)
{
- if (nvlhdrp->nvlh_size > SIZE_MAX - sizeof(*nvlhdrp)) {
- ERRNO_SET(EINVAL);
- return (false);
- }
if (nvlhdrp->nvlh_magic != NVLIST_HEADER_MAGIC) {
ERRNO_SET(EINVAL);
return (false);
@@ -1052,6 +1048,11 @@ nvlist_check_header(struct nvlist_header *nvlhdrp)
nvlhdrp->nvlh_descriptors = be64toh(nvlhdrp->nvlh_descriptors);
}
#endif
+ if (nvlhdrp->nvlh_size > SIZE_MAX - sizeof(*nvlhdrp)) {
+ ERRNO_SET(EINVAL);
+ return (false);
+ }
+
return (true);
}