The nvlist_move_nvpair() function can fail in two cases, if:

- the nvlist error is set, or
- the nvlist case ignore flag is not set and there is attend to
  add element with duplicated name.
In both cases the nvlist_move_nvpair() function free nvpair structure.
If library will try to unpack a binary blob which contains duplicated
names it will end up with using memory after free.

To prevent that, the nvlist_move_nvpair() function interface is changed
to report about failure and checks are added to the nvpair_xunpack()
function.

Discovered thanks to the american fuzzy lop.

Approved by:	pjd (mentor)

0 files changed, 0 insertions, 0 deletions