Differential D56342

libnv: fix heap overflow in nvlist_recv()
Needs ReviewPublic
Actions

Authored by oshogbo on Fri, Apr 10, 9:28 AM.

Tags

None

Referenced Files

	Unknown Object (File)
	Fri, Apr 10, 9:57 AM

Subscribers

Details

Reviewers

Summary

nvlist_check_header() validated nvlh_size for overflow before
performing conversion. An mallicous user can set
NV_FLAG_BIG_ENDIAN in the header and craft nvlh_size so that
the orginall value passes the check, but after the conversion the
sizeof(nvlist_header) + size can overflow.
This can lead to a heap buffer overflow.

Diff Detail

Repository

rG FreeBSD src repository

Lint

No Lint Coverage

Unit

No Test Coverage

Build Status

Buildable 72100
Build 68983: arc lint + arc unit

Event Timeline

oshogbo created this revision.Fri, Apr 10, 9:28 AM

Herald added a subscriber: imp. · View Herald TranscriptFri, Apr 10, 9:28 AM

oshogbo requested review of this revision.Fri, Apr 10, 9:28 AM

Harbormaster completed remote builds in B72100: Diff 175218.Fri, Apr 10, 9:28 AM

oshogbo added a reviewer: markj.Fri, Apr 10, 9:30 AM

The commit log should include a "Fixes" tag. Presumably it also deserves an SA and a regression test?

Revision Contents
Changeset List

Path

Size

sys/

contrib/

libnv/

9 lines

Diff 175218

sys/contrib/libnv/nvlist.c

Loading...