Page MenuHomeFreeBSD

libnv: Fix a length check in nvpair_unpack_string_array()
ClosedPublic

Authored by markj on Oct 13 2025, 1:44 PM.
Tags
None
Referenced Files
Unknown Object (File)
Wed, Jul 15, 6:49 AM
Unknown Object (File)
Wed, Jul 15, 6:49 AM
Unknown Object (File)
Mon, Jul 13, 2:50 AM
Unknown Object (File)
Sun, Jul 5, 1:23 PM
Unknown Object (File)
Tue, Jun 30, 12:42 AM
Unknown Object (File)
Sat, Jun 27, 4:04 PM
Unknown Object (File)
Thu, Jun 25, 10:34 PM
Unknown Object (File)
Mon, Jun 22, 2:27 AM
Subscribers

Details

Summary

A string array is represented by a set of nul-terminated strings
concatenated together. For each string, we check to see if there's a
nul terminator at the end, taking care to avoid going past the end of
the buffer. However, the code fails to handle the possibility that
size == 0 at the end of an iteration, leading to underflow.

Fix the length check.

Reported by: Ilja van Sprundel <ivansprundel@ioactive.com>

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable