From patchwork Wed Nov 28 12:39:31 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tobias Schramm X-Patchwork-Id: 1004526 X-Patchwork-Delegate: ynezz@true.cz Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=lists.openwrt.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="IT/0u8QH"; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=infradead.org header.i=@infradead.org header.b="gB+ogZ0K"; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="n0wvOSDA"; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 434gGW3W8fz9s6w for ; Wed, 28 Nov 2018 23:40:03 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:Subject:MIME-Version:References: In-Reply-To:Message-Id:Date:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=fSw5WSqPHubkEfSl5+cOY5GWD/2h3E9xNa6GAJMdLcc=; b=IT/0u8QH2BhFYK LaY0DyHYAxLHE/KZ3TRO16BSVqYnKln65RzZVUTM3Q0rYDiaiNf9cqeVaebewfoePtTzSCUsDUFTD 5ryDvyUstlprUbVA8V2z/6OsL3dhqkdKYDNLxI1l+ih+rbcpf4EZx/7kgBMpRdR9t4g2jqmYX8KMh IlksulvxwSGQk7sOJYDA3Dj/KYEW5TyGsu+6ZaxFfD8NMuyQT1Yx231SSH/bxHOLP7qyqTv895Vi6 UhuJDcs53/0cRSgNHU5D5pA7Yd057DkiGOVv+dGN1nTvD1VPIFyUKS6y6qi1M+L1F3PZ1+xVDqIqF zmstkko9cWBV4FWkYdTA==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.90_1 #2 (Red Hat Linux)) id 1gRz8I-0005rZ-3a; Wed, 28 Nov 2018 12:39:58 +0000 Received: from merlin.infradead.org ([2001:8b0:10b:1231::1]) by bombadil.infradead.org with esmtps (Exim 4.90_1 #2 (Red Hat Linux)) id 1gRz7l-0005Fb-8R for openwrt-devel@bombadil.infradead.org; Wed, 28 Nov 2018 12:39:25 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=merlin.20170209; h=Content-Transfer-Encoding:MIME-Version: References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To: Content-Type:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=CUm3K4NEgJ2GdiZkoREjjZCrCXWLNmQUH+MmPtNC8qo=; b=gB+ogZ0KccByTxXxWLim8FgbgG 8u3OGIU32tELcIIgEAISCzvbs8KQPCZ5y87cadNIMsLcv4AjMLP41ZRWuxRmKo6v5ln2Dy92OkyrR CHJ1wZoxWEbSh0yfAlotfJyEnJYa0dKWODN6n8k9lUKvoYVXWvHCn9WgeXrmwHSCaLnRJGaypgFJ0 c5tpMK3IB6BXmZJ3QZGR2wOpknwd3HDOg9we0A//e4cYK8/saBCEfn6nsFaDMXnZ+WrE4/1zpSavH Uel3swh0BiSZv8GJt7pjCYh2+vt7GVn43F4Y2R3IMWyTHDeOrg8lem2JcVGMRRFS2atei2yi50yYd Xzql/O8w==; Received: from mail-wr1-x441.google.com ([2a00:1450:4864:20::441]) by merlin.infradead.org with esmtps (Exim 4.90_1 #2 (Red Hat Linux)) id 1gRz7i-0004nk-DE for openwrt-devel@lists.openwrt.org; Wed, 28 Nov 2018 12:39:23 +0000 Received: by mail-wr1-x441.google.com with SMTP id r10so26127025wrs.10 for ; Wed, 28 Nov 2018 04:39:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=CUm3K4NEgJ2GdiZkoREjjZCrCXWLNmQUH+MmPtNC8qo=; b=n0wvOSDAcrd4wLl2tBXhr9mmpszVRkfSrrR5MYde81Bl8BCwmBaV+kDDwd2Ss2EkHx f6Z5hLhbz9Cdn5WFCZkW38mJsnfGIuC/nRlpc+Pf3HJEunPfXxkxHuz9oEcrvT83DlQf g7+Y6A7ME7Rh+R8Dw1FS9Y8KhgTHFvMOCQyh4MIv6jf91oV04X6rOUm1F58vTCKFe6Fb vPkALAXwpWUn8O39pf1PA+IuCYp0WJL2Qdsl7ppKY6RMXnE/92uKwMVPXZmorLXwptkl LJKQouv1ajMhlXxZ4wffjAFAHNo0z0S9JF2mJBgduNdaZygt8VgC1HOJph8oeK3UEbUk A7cQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=CUm3K4NEgJ2GdiZkoREjjZCrCXWLNmQUH+MmPtNC8qo=; b=UVtxUWSf+RLr2m4PYz7vEVw4H07ITji2Nizf1cyLnKQSyPygl6LOh5ZlEkZmiyfzKV OxK+fVdLXUeq52eBoYvyr1X88wHVs25NlXhnirU5nUlpR3B7LVxYAQ6omKHxjjHhGsAm eb4GYW2twHJpgxeVUBg0xnD3ZZbF+HHgeh5lAGhBotia1mNJEdmcbdb4vgtoulkyaJsh GFgCaTEeq1yW3ArOcXPm9tM0WZ+2Yj9HHmWceZHyJvBigEcKZlvZhZvCwZ1HM0qc4vCe x2Qxi6ascaETF5HeqWyoCYWgbc4GGd1HAxov/+aX7JiIwAI0JAlrAqCvKG5h66mMugZZ jcZg== X-Gm-Message-State: AA+aEWZi7Xjco17uAlV0INZt7dqaJXmZr8GuaHFfarDCskCmqZK5yIp3 LsPafItBoBdpYC4CkQZHNaDw9EvS X-Google-Smtp-Source: AFSGD/VrmX+1JV5jdoKtScejBH7mF95b593TckChOYWErz/V1rkTU1pE4aCsO5J2xqldZcN3iqVTeQ== X-Received: by 2002:adf:9123:: with SMTP id j32mr20086095wrj.122.1543408745875; Wed, 28 Nov 2018 04:39:05 -0800 (PST) Received: from sunsetshimmer.lan ([2a02:8106:19:4900:3ab5:b1b6:c8c2:b39f]) by smtp.gmail.com with ESMTPSA id b7sm5612177wrs.47.2018.11.28.04.39.04 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 28 Nov 2018 04:39:05 -0800 (PST) From: Tobias Schramm To: openwrt-devel@lists.openwrt.org Date: Wed, 28 Nov 2018 13:39:31 +0100 Message-Id: <20181128123931.28840-4-tobleminer@gmail.com> X-Mailer: git-send-email 2.19.2 In-Reply-To: <20181128123931.28840-1-tobleminer@gmail.com> References: <20181128123931.28840-1-tobleminer@gmail.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20181128_073922_453730_B53BBA79 X-CRM114-Status: GOOD ( 13.28 ) X-Spam-Score: -0.2 (/) X-Spam-Report: SpamAssassin version 3.4.2 on merlin.infradead.org summary: Content analysis details: (-0.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [2a00:1450:4864:20:0:0:0:441 listed in] [list.dnswl.org] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (tobleminer[at]gmail.com) -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature Subject: [OpenWrt-Devel] [PATCH v4 3/3] Add _safe variants for all attribute checking methods X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Tobias Schramm , nbd@nbd.name Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org Signed-off-by: Tobias Schramm --- blobmsg.c | 12 ++++++++++-- blobmsg.h | 49 ++++++++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 58 insertions(+), 3 deletions(-) diff --git a/blobmsg.c b/blobmsg.c index 10f3801..13c83bc 100644 --- a/blobmsg.c +++ b/blobmsg.c @@ -75,13 +75,16 @@ bool blobmsg_check_attr_safe(const struct blob_attr *attr, bool name, size_t len return blob_check_type(data, data_len, blob_type[id]); } -int blobmsg_check_array(const struct blob_attr *attr, int type) +int blobmsg_check_array_safe(const struct blob_attr *attr, int type, size_t len) { struct blob_attr *cur; bool name; int rem; int size = 0; + if (!blobmsg_check_attr_safe(attr, false, len)) + return -1; + switch (blobmsg_type(attr)) { case BLOBMSG_TYPE_TABLE: name = true; @@ -97,7 +100,7 @@ int blobmsg_check_array(const struct blob_attr *attr, int type) if (type != BLOBMSG_TYPE_UNSPEC && blobmsg_type(cur) != type) return -1; - if (!blobmsg_check_attr(cur, name)) + if (!blobmsg_check_attr_safe(cur, name, rem)) return -1; size++; @@ -111,6 +114,11 @@ bool blobmsg_check_attr_list(const struct blob_attr *attr, int type) return blobmsg_check_array(attr, type) >= 0; } +bool blobmsg_check_attr_list_safe(const struct blob_attr *attr, int type, size_t len) +{ + return blobmsg_check_array_safe(attr, type, len) >= 0; +} + int blobmsg_parse_array(const struct blobmsg_policy *policy, int policy_len, struct blob_attr **tb, void *data, unsigned int len) { diff --git a/blobmsg.h b/blobmsg.h index d17b896..81fa219 100644 --- a/blobmsg.h +++ b/blobmsg.h @@ -127,15 +127,62 @@ blobmsg_check_attr(const struct blob_attr *attr, bool name) return blobmsg_check_attr_safe(attr, name, blob_raw_len(attr)); } +/* + * blobmsg_check_attr_list: validate a list of attributes + * + * This method may be used with trusted data only. Providing + * malformed blobs will cause out of bounds memory access and + * crash your program or get your device 0wned. + */ bool blobmsg_check_attr_list(const struct blob_attr *attr, int type); +/* + * blobmsg_check_attr_list_safe: safely validate a list of untrusted attributes + * + * This method is a safe implementation of blobmsg_check_attr_list. + * It will limit all memory access performed on the blob to the + * range [attr, attr + len] (upper bound non inclusive) and is + * thus suited for checking untrusted blob attributes. + */ +bool blobmsg_check_attr_list_safe(const struct blob_attr *attr, int type, size_t len); + +/* + * blobmsg_check_attr: validate a list of attributes + * + * This methods may be used with trusted data only. Providing + * malformed blobs will cause out of bounds memory access and + * crash your program or get your device 0wned. + */ +bool blobmsg_check_attr_list(const struct blob_attr *attr, int type); + +/* + * blobmsg_check_array: safely validate untrusted array/table and return size + * + * Checks if all elements of an array or table are valid and have + * the specified type. Returns the number of elements in the array + * + * This method is a safe implementation of blobmsg_check_array. + * It will limit all memory access performed on the blob to the + * range [attr, attr + len] (upper bound non inclusive) and is + * thus suited for checking untrusted blob attributes. + */ +int blobmsg_check_array_safe(const struct blob_attr *attr, int type, size_t len); + /* * blobmsg_check_array: validate array/table and return size * * Checks if all elements of an array or table are valid and have * the specified type. Returns the number of elements in the array + * + * This method may be used with trusted data only. Providing + * malformed blobs will cause out of bounds memory access and + * crash your program or get your device 0wned. */ -int blobmsg_check_array(const struct blob_attr *attr, int type); +static inline int +blobmsg_check_array(const struct blob_attr *attr, int type) +{ + return blobmsg_check_array_safe(attr, type, blob_raw_len(attr)); +} int blobmsg_parse(const struct blobmsg_policy *policy, int policy_len, struct blob_attr **tb, void *data, unsigned int len);