[PATCH 0/2] blob: detect and fix buflen overflow

Zefir Kurtisi zefir.kurtisi at gmail.com
Fri Apr 23 18:47:59 BST 2021

The current implementation of the blob buffer misses a mechanism
to prevent the buflen to exceed its maximum allowed size of 16MB
(given by BLOB_ATTR_LEN_MASK). Instead of aborting and returning
false in blob_buf_grow() when the limit is reached, blob_add()
succeeds providing valid blob_attr pointers without increasing
the blob's buflen.

This series provides two commits with
* the first one adding a simple test to demonstrate the effect
* the second providing the fix

NOTE: obviously having blobs with buffers of more than 16MB does
not really make sense, especially in embedded systems. The issue
was detected not by working with huge buffers, but within a loop
expanding the blob buffer until blob_add() returned NULL, which
actually never happened.

Zefir Kurtisi (2):
  tests: add blob-buffer overflow test
  blob: fix exceeding maximum buffer length

 blob.c                   |  2 ++
 tests/test-blob-buffer.c | 32 ++++++++++++++++++++++++++++++++
 2 files changed, 34 insertions(+)
 create mode 100644 tests/test-blob-buffer.c


More information about the openwrt-devel mailing list