Page MenuHomeFreeBSD
Differential D53069

libnv: Fix a length check in nvpair_unpack_string_array()
ClosedPublic
Actions

Authored by markj on Mon, Oct 13, 1:44 PM.
Tags
None
Referenced Files
F133407738: D53069.diff
Sat, Oct 25, 2:13 PM
Unknown Object (File)
Thu, Oct 23, 3:55 PM
Unknown Object (File)
Tue, Oct 21, 9:14 AM
Unknown Object (File)
Tue, Oct 21, 9:14 AM
Unknown Object (File)
Tue, Oct 21, 9:12 AM
Unknown Object (File)
Tue, Oct 21, 2:13 AM
Unknown Object (File)
Tue, Oct 21, 2:13 AM
Unknown Object (File)
Mon, Oct 20, 2:40 AM
View All 17 Files
Subscribers
imp

Details

Reviewers
oshogbo
emaste
Commits
rG95f60a34dd1a: libnv: Fix a length check in nvpair_unpack_string_array()
rG43bf0f4cd2c8: libnv: Fix a length check in nvpair_unpack_string_array()
rGb951c7fd7799: libnv: Fix a length check in nvpair_unpack_string_array()
rGc47f9af4771b: libnv: Fix a length check in nvpair_unpack_string_array()
rG937693fc9e4f: libnv: Fix a length check in nvpair_unpack_string_array()
Summary

A string array is represented by a set of nul-terminated strings
concatenated together. For each string, we check to see if there's a
nul terminator at the end, taking care to avoid going past the end of
the buffer. However, the code fails to handle the possibility that
size == 0 at the end of an iteration, leading to underflow.

Fix the length check.

Reported by: Ilja van Sprundel <ivansprundel@ioactive.com>

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 67752
Build 64635: arc lint + arc unit

Revision Contents
Changeset List

PathSize
sys/
contrib/
libnv/
8 lines

Diff 164092

View Options

sys/contrib/libnv/bsd_nvpair.c

Loading...