diff options
| author | Mark Johnston <markj@FreeBSD.org> | 2025-10-15 20:15:08 +0000 |
|---|---|---|
| committer | Mark Johnston <markj@FreeBSD.org> | 2025-10-15 20:15:08 +0000 |
| commit | 937693fc9e4ff4045cc674a14902f0d53e84ec98 (patch) | |
| tree | 1c2444a258768d31a0b3dee95ce8c58b8618128b | |
| parent | c86af2cc4cd12fb0174843b22d737c3b5b5d55d0 (diff) | |
libnv: Fix a length check in nvpair_unpack_string_array()
A string array is represented by a set of nul-terminated strings
concatenated together. For each string, we check to see if there's a
nul terminator at the end, taking care to avoid going past the end of
the buffer. However, the code fails to handle the possibility that
size == 0 at the end of an iteration, leading to underflow.
Fix the length check.
Reported by: Ilja van Sprundel <ivansprundel@ioactive.com>
Reviewed by: emaste
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D53069
| -rw-r--r-- | sys/contrib/libnv/bsd_nvpair.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/sys/contrib/libnv/bsd_nvpair.c b/sys/contrib/libnv/bsd_nvpair.c index c73bc2189121..b884dd260b84 100644 --- a/sys/contrib/libnv/bsd_nvpair.c +++ b/sys/contrib/libnv/bsd_nvpair.c @@ -985,13 +985,13 @@ nvpair_unpack_string_array(bool isbe __unused, nvpair_t *nvp, size = nvp->nvp_datasize; tmp = (const char *)ptr; for (ii = 0; ii < nvp->nvp_nitems; ii++) { - len = strnlen(tmp, size - 1) + 1; - size -= len; - if (tmp[len - 1] != '\0') { + if (size <= 0) { ERRNO_SET(EINVAL); return (NULL); } - if (size < 0) { + len = strnlen(tmp, size - 1) + 1; + size -= len; + if (tmp[len - 1] != '\0') { ERRNO_SET(EINVAL); return (NULL); } |