Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 14 Aug 2025 16:03:14 GMT
From:      Dag-Erling =?utf-8?Q?Sm=C3=B8rgrav?= <des@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Subject:   git: 62df4a7dd8e0 - stable/14 - hastd: Fix nv data size check
Message-ID:  <202508141603.57EG3EXM079949@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The branch stable/14 has been updated by des:

URL: https://cgit.FreeBSD.org/src/commit/?id=62df4a7dd8e0cd0c27da54966f540dfb5c543658

commit 62df4a7dd8e0cd0c27da54966f540dfb5c543658
Author:     Dag-Erling Smørgrav <des@FreeBSD.org>
AuthorDate: 2025-08-06 13:49:37 +0000
Commit:     Dag-Erling Smørgrav <des@FreeBSD.org>
CommitDate: 2025-08-14 14:00:09 +0000

    hastd: Fix nv data size check
    
    The data size check, as currently written, can be defeated by providing
    a very large number that rounds up to 0, which will pass the check
    (because zero plus the size of the header and name is smaller than the
    size of the message) but cause a segfault later when used to index the
    data array.
    
    Rewrite the data size check to take rounding into account, and add a
    cast to ensure the name size can't round up to zero.
    
    MFC after:      1 week
    PR:             266827
    Reviewed by:    markj
    Differential Revision:  https://reviews.freebsd.org/D51615
    
    (cherry picked from commit 3caee2a93f235ebcfe3a8ec99eb2c3f3e5b0438f)
---
 sbin/hastd/nv.c | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/sbin/hastd/nv.c b/sbin/hastd/nv.c
index fd6b56c1148d..4e50d0026e7b 100644
--- a/sbin/hastd/nv.c
+++ b/sbin/hastd/nv.c
@@ -98,7 +98,7 @@ struct nvhdr {
 } __packed;
 #define	NVH_DATA(nvh)	((unsigned char *)nvh + NVH_HSIZE(nvh))
 #define	NVH_HSIZE(nvh)	\
-	(sizeof(struct nvhdr) + roundup2((nvh)->nvh_namesize, 8))
+	(sizeof(struct nvhdr) + roundup2((size_t)(nvh)->nvh_namesize, 8))
 #define	NVH_DSIZE(nvh)	\
 	(((nvh)->nvh_type & NV_ORDER_MASK) == NV_ORDER_HOST ?		\
 	(nvh)->nvh_dsize :						\
@@ -248,11 +248,8 @@ nv_validate(struct nv *nv, size_t *extrap)
 			break;
 		}
 		dsize = NVH_DSIZE(nvh);
-		if (dsize == 0) {
-			error = EINVAL;
-			break;
-		}
-		if (size < NVH_SIZE(nvh)) {
+		if (roundup2(dsize, 8) == 0 ||
+		    roundup2(dsize, 8) > size - NVH_HSIZE(nvh)) {
 			error = EINVAL;
 			break;
 		}

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202508141603.57EG3EXM079949>