Message ID | 20200126151439.26720-1-hauke@hauke-m.de |
---|---|
State | Rejected |
Delegated to: | Hauke Mehrtens |
Headers | show |
Series | [OpenWrt-Devel,libubox] blob: Check remaining size in blob_parse() | expand |
On 1/26/20 4:14 PM, Hauke Mehrtens wrote: > This extends the blob_parse() function to check that no inner attribute > is bigger than the outside attribute. The blob_parse_untrusted() should > be used when we know the size of blob_attr *attr, in some other way. > > Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> > --- > blob.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/blob.c b/blob.c > index 528e717..0ed6c80 100644 > --- a/blob.c > +++ b/blob.c > @@ -295,9 +295,10 @@ blob_parse(struct blob_attr *attr, struct blob_attr **data, const struct blob_at > struct blob_attr *pos; > int found = 0; > size_t rem; > + size_t len = blob_raw_len(attr); > > memset(data, 0, sizeof(struct blob_attr *) * max); > - blob_for_each_attr(pos, attr, rem) { > + blob_for_each_attr_len(pos, attr, len, rem) { > found += blob_parse_attr(pos, rem, data, info, max); > } > > I checked the code again more closely and I think it is already doing something similar in blob_for_each_attr_len(). rem is initialized with blob_len(attr). #define blob_for_each_attr_len(pos, attr, attr_len, rem) \ for (rem = attr ? blob_len(attr) : 0, \ pos = (struct blob_attr *) (attr ? blob_data(attr) : NULL); \ rem >= sizeof(struct blob_attr) && rem < attr_len && (blob_pad_len(pos) <= rem) && \ (blob_pad_len(pos) >= sizeof(struct blob_attr)); \ rem -= blob_pad_len(pos), pos = blob_next(pos)) Hauke
diff --git a/blob.c b/blob.c index 528e717..0ed6c80 100644 --- a/blob.c +++ b/blob.c @@ -295,9 +295,10 @@ blob_parse(struct blob_attr *attr, struct blob_attr **data, const struct blob_at struct blob_attr *pos; int found = 0; size_t rem; + size_t len = blob_raw_len(attr); memset(data, 0, sizeof(struct blob_attr *) * max); - blob_for_each_attr(pos, attr, rem) { + blob_for_each_attr_len(pos, attr, len, rem) { found += blob_parse_attr(pos, rem, data, info, max); }
This extends the blob_parse() function to check that no inner attribute is bigger than the outside attribute. The blob_parse_untrusted() should be used when we know the size of blob_attr *attr, in some other way. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> --- blob.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)