[OpenWrt-Devel] [PATCH][libubox] blobmsg: blobmsg_parse and blobmsg_parse_array oob read fixes

Petr Štetiar ynezz at true.cz
Mon Jan 20 06:08:55 EST 2020


Juraj Vijtiuk <juraj.vijtiuk at sartura.hr> [2020-01-14 22:11:18]:

Hi,

I just sent v2 for review[2], can you check it please?

> > > @@ -191,7 +197,11 @@ int blobmsg_parse(const struct blobmsg_policy *policy, int policy_len,
> > >     }
> > >
> > >     __blob_for_each_attr(attr, data, len) {
> > > +           if (len < sizeof(struct blob_attr) + sizeof(struct blobmsg_hdr))
> > > +                   return -1;
> >
> > If there is such problem, then this should be probably fixed directly in
> > __blob_for_each_attr so we possibly protect other __blob_for_each_attr
> > users[1].
> 
> Can you maybe provide a patch? I'd be happy to test it and let you
> know what the results are.

Seems like I need more time on this, to come up with some meaningful solution
(it's blob related function, but it would need to check blobmsg etc.), I've
just prepared some common helper functions which should help. I don't want to
block this changes just because of that. I'll try to add you to the Cc: in
that follow up patch.

1. https://patchwork.ozlabs.org/patch/1225878/

-- ynezz

_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel


More information about the openwrt-devel mailing list