[OpenWrt-Devel] [PATCH libubox] blob: Check remaining size in blob_parse()

Sun Jan 26 17:08:42 EST 2020

On 1/26/20 4:14 PM, Hauke Mehrtens wrote:
> This extends the blob_parse() function to check that no inner attribute
> is bigger than the outside attribute. The blob_parse_untrusted() should
> be used when we know the size of blob_attr *attr, in some other way.
> 
> Signed-off-by: Hauke Mehrtens <hauke at hauke-m.de>
> ---
>  blob.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/blob.c b/blob.c
> index 528e717..0ed6c80 100644
> --- a/blob.c
> +++ b/blob.c
> @@ -295,9 +295,10 @@ blob_parse(struct blob_attr *attr, struct blob_attr **data, const struct blob_at
>  	struct blob_attr *pos;
>  	int found = 0;
>  	size_t rem;
> +	size_t len = blob_raw_len(attr);
>  
>  	memset(data, 0, sizeof(struct blob_attr *) * max);
> -	blob_for_each_attr(pos, attr, rem) {
> +	blob_for_each_attr_len(pos, attr, len, rem) {
>  		found += blob_parse_attr(pos, rem, data, info, max);
>  	}
>  
> 

I checked the code again more closely and I think it is already doing
something similar in blob_for_each_attr_len(). rem is initialized with
blob_len(attr).

#define blob_for_each_attr_len(pos, attr, attr_len, rem) \
	for (rem = attr ? blob_len(attr) : 0, \
	     pos = (struct blob_attr *) (attr ? blob_data(attr) : NULL); \
	     rem >= sizeof(struct blob_attr) && rem < attr_len &&
(blob_pad_len(pos) <= rem) && \
	     (blob_pad_len(pos) >= sizeof(struct blob_attr)); \
	     rem -= blob_pad_len(pos), pos = blob_next(pos))

Hauke

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20200126/b89615a4/attachment.sig>
-------------- next part --------------
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel