Skip to content

Commit

Permalink
A malicious value of size in a structure of packed libnv can cause an…
Browse files Browse the repository at this point in the history 
… integer

overflow, leading to the allocation of a smaller buffer than required for the
parsed data. The introduced check was incorrect, as it took into account the
size of the pointer, not the structure. This vulnerability affects both
kernel and userland.
  • Loading branch information
@laffer1
laffer1 committed Sep 22, 2024
1 parent 01ab70f commit ddab4ff
Showing 1 changed file with 4 additions and 0 deletions.
4 changes: 4 additions & 0 deletions sys/contrib/libnv/nvlist.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1027,6 +1027,10 @@ nvlist_pack(const nvlist_t *nvl, size_t *sizep)
static bool
nvlist_check_header(struct nvlist_header *nvlhdrp)
{
if (nvlhdrp->nvlh_size > SIZE_MAX - sizeof(*nvlhdrp)) {
ERRNO_SET(EINVAL);
return (false);
}

if (nvlhdrp->nvlh_magic != NVLIST_HEADER_MAGIC) {
ERRNO_SET(EINVAL);
Expand Down

0 comments on commit ddab4ff

Please sign in to comment.