libnv: fix heap overflow in nvlist_recv()

nvlist_check_header() validated nvlh_size for overflow before
performing conversion. An mallicous user can set
NV_FLAG_BIG_ENDIAN in the header and craft nvlh_size so that
the orginall value passes the check, but after the conversion the
sizeof(nvlist_header) + size can overflow.
This can lead to a heap buffer overflow.

Approved by:	so
Security:	FreeBSD-SA-26:17.libnv
Security:	CVE-2026-35547
Fixes:		36fa90dbde0060aacb5677d0b113ee168e839071
Reviewed by:	markj
Differential Revision:	https://reviews.freebsd.org/D56342

2 files changed, 62 insertions, 4 deletions

diff --git a/lib/libnv/tests/nvlist_send_recv_test.c b/lib/libnv/tests/nvlist_send_recv_test.c
index d655a26a7362..306c91560400 100644
--- a/lib/libnv/tests/nvlist_send_recv_test.c
+++ b/lib/libnv/tests/nvlist_send_recv_test.c
@@ -1,5 +1,8 @@
 /*-
+ * SPDX-License-Identifier: BSD-2-Clause
+ *
  * Copyright (c) 2013 The FreeBSD Foundation
+ * Copyright (c) 2024-2026 Mariusz Zaborski <oshogbo@FreeBSD.org>
  *
  * This software was developed by Pawel Jakub Dawidek under sponsorship from
  * the FreeBSD Foundation.
@@ -661,6 +664,58 @@ ATF_TC_BODY(nvlist_send_recv__overflow_header_size, tc)
 	}
 }
 
+ATF_TC_WITHOUT_HEAD(nvlist_send_recv__overflow_big_endian_size);
+ATF_TC_BODY(nvlist_send_recv__overflow_big_endian_size, tc)
+{
+	static const unsigned char payload[] = {
+		0x6c,						/* magic */
+		0x00,						/* version */
+		0x80,						/* flags: NV_FLAG_BIG_ENDIAN */
+		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+		0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf5,
+	};
+	nvlist_t *nvl;
+	int sv[2];
+
+	ATF_REQUIRE_EQ(socketpair(AF_UNIX, SOCK_STREAM, 0, sv), 0);
+	ATF_REQUIRE_EQ(write(sv[1], payload, sizeof(payload)),
+	    (ssize_t)sizeof(payload));
+	ATF_REQUIRE_EQ(close(sv[1]), 0);
+
+	errno = 0;
+	nvl = nvlist_recv(sv[0], 0);
+	ATF_REQUIRE(nvl == NULL);
+	ATF_REQUIRE_EQ(errno, EINVAL);
+
+	ATF_REQUIRE_EQ(close(sv[0]), 0);
+}
+
+ATF_TC_WITHOUT_HEAD(nvlist_send_recv__overflow_little_endian_size);
+ATF_TC_BODY(nvlist_send_recv__overflow_little_endian_size, tc)
+{
+	static const unsigned char payload[] = {
+		0x6c,						/* magic */
+		0x00,						/* version */
+		0x00,						/* flags */
+		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+		0xf5, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+	};
+	nvlist_t *nvl;
+	int sv[2];
+
+	ATF_REQUIRE_EQ(socketpair(AF_UNIX, SOCK_STREAM, 0, sv), 0);
+	ATF_REQUIRE_EQ(write(sv[1], payload, sizeof(payload)),
+	    (ssize_t)sizeof(payload));
+	ATF_REQUIRE_EQ(close(sv[1]), 0);
+
+	errno = 0;
+	nvl = nvlist_recv(sv[0], 0);
+	ATF_REQUIRE(nvl == NULL);
+	ATF_REQUIRE_EQ(errno, EINVAL);
+
+	ATF_REQUIRE_EQ(close(sv[0]), 0);
+}
+
 ATF_TC_WITHOUT_HEAD(nvlist_send_recv__invalid_fd_size);
 ATF_TC_BODY(nvlist_send_recv__invalid_fd_size, tc)
 {
@@ -796,6 +851,8 @@ ATF_TP_ADD_TCS(tp)
 	ATF_TP_ADD_TC(tp, nvlist_send_recv__send_many_fds__stream);
 
 	ATF_TP_ADD_TC(tp, nvlist_send_recv__overflow_header_size);
+	ATF_TP_ADD_TC(tp, nvlist_send_recv__overflow_big_endian_size);
+	ATF_TP_ADD_TC(tp, nvlist_send_recv__overflow_little_endian_size);
 	ATF_TP_ADD_TC(tp, nvlist_send_recv__invalid_fd_size);
 	ATF_TP_ADD_TC(tp, nvlist_send_recv__overflow_fd_size);
 
diff --git a/sys/contrib/libnv/nvlist.c b/sys/contrib/libnv/nvlist.c
index 73226ee51a78..11d9c9b49c94 100644
--- a/sys/contrib/libnv/nvlist.c
+++ b/sys/contrib/libnv/nvlist.c
@@ -1027,10 +1027,6 @@ static bool
 nvlist_check_header(struct nvlist_header *nvlhdrp)
 {
 
-	if (nvlhdrp->nvlh_size > SIZE_MAX - sizeof(*nvlhdrp)) {
-		ERRNO_SET(EINVAL);
-		return (false);
-	}
 	if (nvlhdrp->nvlh_magic != NVLIST_HEADER_MAGIC) {
 		ERRNO_SET(EINVAL);
 		return (false);
@@ -1050,6 +1046,11 @@ nvlist_check_header(struct nvlist_header *nvlhdrp)
 		nvlhdrp->nvlh_descriptors = be64toh(nvlhdrp->nvlh_descriptors);
 	}
 #endif
+	if (nvlhdrp->nvlh_size > SIZE_MAX - sizeof(*nvlhdrp)) {
+		ERRNO_SET(EINVAL);
+		return (false);
+	}
+
 	return (true);
 }