[OpenWrt-Devel] [PATCH RFC libubox] blobmsg: another attrs iteration fix for blobmsg_check_array_len()

Felix Fietkau nbd at nbd.name
Mon May 25 04:51:36 EDT 2020

On 2020-05-25 10:31, Rafał Miłecki wrote:
> From: Rafał Miłecki <rafal at milecki.pl>
> After more reviews is seems that blobmsg_for_each_attr() should not be
> used when dealing with untrusted data as it reads length from blob data
> itself. It means it can't be used in the blobmsg_check_array_len().
> Switch back to using __blobmsg_for_each_attr() BUT pass correct length
> to it. Calculate it by subtracting header length from blob length.
This should not be necessary, because the length is validated in the
blobmsg_check_attr_len call earlier in the same function.
I think your previous fix is completely fine as-is.

- Felix

openwrt-devel mailing list
openwrt-devel at lists.openwrt.org

More information about the openwrt-devel mailing list