[OpenWrt-Devel] [PATCH RFC libubox] blobmsg: another attrs iteration fix for blobmsg_check_array_len()

Rafał Miłecki zajec5 at gmail.com
Mon May 25 04:31:06 EDT 2020

From: Rafał Miłecki <rafal at milecki.pl>

After more reviews is seems that blobmsg_for_each_attr() should not be
used when dealing with untrusted data as it reads length from blob data
itself. It means it can't be used in the blobmsg_check_array_len().

Switch back to using __blobmsg_for_each_attr() BUT pass correct length
to it. Calculate it by subtracting header length from blob length.

Signed-off-by: Rafał Miłecki <rafal at milecki.pl>
 blobmsg.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/blobmsg.c b/blobmsg.c
index 59045e1..2295aaa 100644
--- a/blobmsg.c
+++ b/blobmsg.c
@@ -142,7 +142,8 @@ int blobmsg_check_array_len(const struct blob_attr *attr, int type,
 		return -1;
-	blobmsg_for_each_attr(cur, attr, rem) {
+	rem = blob_len - ((uint8_t *)blobmsg_data(attr) - (uint8_t *)blob_data(attr));
+	__blobmsg_for_each_attr(cur, attr, rem) {
 		if (type != BLOBMSG_TYPE_UNSPEC && blobmsg_type(cur) != type)
 			return -1;

openwrt-devel mailing list
openwrt-devel at lists.openwrt.org

More information about the openwrt-devel mailing list