[OpenWrt-Devel] [PATCH v4 0/3] libubox: Enhance robustness of blobmsg parsing

Tobias Schramm tobleminer at gmail.com
Wed Nov 28 07:39:28 EST 2018


this patch set makes parsing of blobmsg messages more robust against
malformed data.

Previously blobmsg_parse would crash due to out of bounds reads when
provied with malformed blobs containing invalid blob length specifications.
I've introduced a _safe variant of all blobmsg_check_* methods that takes
an additional length argument that allows it to verify that all performed
reads will be inside the buffer containing the struct attr* to be checked.

Since we do already get the actual buffer length for free in a few places
(namely blobmsg_parse, blobmsg_parse_array) I've adjusted those methods to
use the _safe attribute checking variants.

I've not changed the semantics of the old, unsafe blobmsg_check_* functions
to include a compiler-level deprecation warning to ensure it does not break
builds of existing packages depending on libubox compiled with -Werror.

Best Regards,

Tobias Schramm

 - Add documentation to attribute checking methods in blobmsg.h
 - Inline attribute checking methods
 - Fix orthography
 - Replace inappropriate use of 'NULL' with 'false'

Tobias Schramm (3):
  Ensure blob_attr length check does not perform out of bounds reads
  Replace use of blobmsg_check_attr by blobmsg_check_attr_safe
  Add _safe variants for all attribute checking methods

 blob.h    |  4 +--
 blobmsg.c | 36 ++++++++++++++++++++------
 blobmsg.h | 75 ++++++++++++++++++++++++++++++++++++++++++++++++++++---
 3 files changed, 102 insertions(+), 13 deletions(-)


openwrt-devel mailing list
openwrt-devel at lists.openwrt.org

More information about the openwrt-devel mailing list