[OpenWrt-Devel] [PATCH 0/3] libubox: Enhance robustness of blobmsg parsing
Tobias Schramm
tobleminer at gmail.com
Wed Nov 21 21:00:26 EST 2018
Hi,
this patch set makes parsing of blobmsg messages more robust against
malformed data.
Previously blobmsg_parse would crash due to out of bounds reads when
provided with malformed blobs containing invalid blob length specifications.
I've introduced a _safe variant of all blobmsg_check_* methods that takes
an additional length argument that allows it to verify that all performed
reads will be inside the buffer containing the struct attr* to be checked.
Since we do already get the actual buffer length for free in a few places
(namely blobmsg_parse, blobmsg_parse_array) I've adjusted those methods to
use the _safe attribute checking variants.
I've not changed the semantics of the old, unsafe blobmsg_check_* functions
to include a compiler-level deprecation warning to ensure it does not break
builds of existing packages depending on libubox compiled with -Werror.
Best Regards,
Tobias Schramm
Tobias Schramm (3):
Ensure blob_attr length check does not perform out of bounds reads
Replace use of blobmsg_check_attr by blobmsg_check_attr_safe
Add _safe variants for all attribute checking methods
blob.h | 4 ++--
blobmsg.c | 42 ++++++++++++++++++++++++++++++++++--------
blobmsg.h | 12 +++++++++++-
3 files changed, 47 insertions(+), 11 deletions(-)
--
2.19.1
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list