Module Name: src
Committed By: riastradh
Date: Wed Sep 4 12:56:47 UTC 2024
Modified Files:
src/sys/external/bsd/libnv/dist: nvlist.c
Log Message:
libnv: Refuse nonsensically large header size in nvlist_check_header.
This avoids potential integer overflow in nvlist_recv, which is not
used in NetBSD. The only other user of nvlist_check_header is
nvlist_unpack_header, which verifies the header sizes matches the
framing and so is not affected by integer overflow.
Matches upstream FreeBSD change by Mariusz Zaborski
<[email protected]>.
CVE-2024-45287
PR security/58652: libnv: Integer overflow and buffer overrun
vulnerabilities
To generate a diff of this commit:
cvs rdiff -u -r1.8 -r1.9 src/sys/external/bsd/libnv/dist/nvlist.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/external/bsd/libnv/dist/nvlist.c
diff -u src/sys/external/bsd/libnv/dist/nvlist.c:1.8 src/sys/external/bsd/libnv/dist/nvlist.c:1.9
--- src/sys/external/bsd/libnv/dist/nvlist.c:1.8 Tue Jul 23 00:49:16 2019
+++ src/sys/external/bsd/libnv/dist/nvlist.c Wed Sep 4 12:56:47 2024
@@ -1,4 +1,4 @@
-/* $NetBSD: nvlist.c,v 1.8 2019/07/23 00:49:16 rmind Exp $ */
+/* $NetBSD: nvlist.c,v 1.9 2024/09/04 12:56:47 riastradh Exp $ */
/*-
* SPDX-License-Identifier: BSD-2-Clause-FreeBSD
@@ -36,7 +36,7 @@
#ifdef __FreeBSD__
__FBSDID("$FreeBSD: head/sys/contrib/libnv/nvlist.c 335347 2018-06-18 22:57:32Z oshogbo $");
#else
-__RCSID("$NetBSD: nvlist.c,v 1.8 2019/07/23 00:49:16 rmind Exp $");
+__RCSID("$NetBSD: nvlist.c,v 1.9 2024/09/04 12:56:47 riastradh Exp $");
#endif
#include <sys/param.h>
@@ -1074,6 +1074,10 @@ static bool
nvlist_check_header(struct nvlist_header *nvlhdrp)
{
+ if (nvlhdrp->nvlh_size > SIZE_MAX - sizeof(nvlhdrp)) {
+ ERRNO_SET(EINVAL);
+ return (false);
+ }
if (nvlhdrp->nvlh_magic != NVLIST_HEADER_MAGIC) {
ERRNO_SET(EINVAL);
return (false);
