git: 937693fc9e4f - main - libnv: Fix a length check in nvpair_unpack_string_array()
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 15 Oct 2025 20:20:10 UTC
The branch main has been updated by markj:
URL: https://cgit.FreeBSD.org/src/commit/?id=937693fc9e4ff4045cc674a14902f0d53e84ec98
commit 937693fc9e4ff4045cc674a14902f0d53e84ec98
Author: Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2025-10-15 20:15:08 +0000
Commit: Mark Johnston <markj@FreeBSD.org>
CommitDate: 2025-10-15 20:15:08 +0000
libnv: Fix a length check in nvpair_unpack_string_array()
A string array is represented by a set of nul-terminated strings
concatenated together. For each string, we check to see if there's a
nul terminator at the end, taking care to avoid going past the end of
the buffer. However, the code fails to handle the possibility that
size == 0 at the end of an iteration, leading to underflow.
Fix the length check.
Reported by: Ilja van Sprundel <ivansprundel@ioactive.com>
Reviewed by: emaste
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D53069
---
sys/contrib/libnv/bsd_nvpair.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/sys/contrib/libnv/bsd_nvpair.c b/sys/contrib/libnv/bsd_nvpair.c
index c73bc2189121..b884dd260b84 100644
--- a/sys/contrib/libnv/bsd_nvpair.c
+++ b/sys/contrib/libnv/bsd_nvpair.c
@@ -985,13 +985,13 @@ nvpair_unpack_string_array(bool isbe __unused, nvpair_t *nvp,
size = nvp->nvp_datasize;
tmp = (const char *)ptr;
for (ii = 0; ii < nvp->nvp_nitems; ii++) {
- len = strnlen(tmp, size - 1) + 1;
- size -= len;
- if (tmp[len - 1] != '\0') {
+ if (size <= 0) {
ERRNO_SET(EINVAL);
return (NULL);
}
- if (size < 0) {
+ len = strnlen(tmp, size - 1) + 1;
+ size -= len;
+ if (tmp[len - 1] != '\0') {
ERRNO_SET(EINVAL);
return (NULL);
}