cb6dbe5ae7
- the nvlist error is set, or - the nvlist case ignore flag is not set and there is attend to add element with duplicated name. In both cases the nvlist_move_nvpair() function free nvpair structure. If library will try to unpack a binary blob which contains duplicated names it will end up with using memory after free. To prevent that, the nvlist_move_nvpair() function interface is changed to report about failure and checks are added to the nvpair_xunpack() function. Discovered thanks to the american fuzzy lop. Approved by: pjd (mentor) |
||
|---|---|---|
| .. | ||
| dnvlist.c | ||
| nv_impl.h | ||
| nvlist_impl.h | ||
| nvlist.c | ||
| nvpair_impl.h | ||
| nvpair.c | ||