[OpenWrt-Devel] [PATCH 0/3] libubox: Enhance robustness of blobmsg parsing

Tobias Schramm tobleminer at gmail.com
Fri Nov 23 00:53:12 EST 2018


True. I'll send a V2 with some documentation added.
Am Fr., 23. Nov. 2018 um 05:11 Uhr schrieb Yousong Zhou <yszhou4tech at gmail.com>:
>
> On Thu, 22 Nov 2018 at 10:00, Tobias Schramm <tobleminer at gmail.com> wrote:
> >
> > Hi,
> >
> > this patch set makes parsing of blobmsg messages more robust against
> > malformed data.
> >
> > Previously blobmsg_parse would crash due to out of bounds reads when
> > provided with malformed blobs containing invalid blob length specifications.
> > I've introduced a _safe variant of all blobmsg_check_* methods that takes
> > an additional length argument that allows it to verify that all performed
> > reads will be inside the buffer containing the struct attr* to be checked.
> >
> > Since we do already get the actual buffer length for free in a few places
> > (namely blobmsg_parse, blobmsg_parse_array) I've adjusted those methods to
> > use the _safe attribute checking variants.
> >
> > I've not changed the semantics of the old, unsafe blobmsg_check_* functions
> > to include a compiler-level deprecation warning to ensure it does not break
> > builds of existing packages depending on libubox compiled with -Werror.
> >
> > Best Regards,
> >
> > Tobias Schramm
>
> We need to add doc comment for blobmsg_check_attr* functions, making
> it clear that length check of the *attr pointer is assumed to be
> already done by the caller.
>
>                 yousong

_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel



More information about the openwrt-devel mailing list