[PATCH 2/2] blob: fix exceeding maximum buffer length

Zefir Kurtisi zefir.kurtisi at gmail.com
Fri Apr 23 18:48:01 BST 2021


Currently there is no measure in place to prevent the blob buffer
to exceed its maximum allowed length of 16MB. Continuously
calling blob_add() will expand the buffer until it exceeds
BLOB_ATTR_LEN_MASK and after that will return valid blob_attr
pointer without increasing the buflen.

A test program was added in the previous commit, this one fixes
the issue by asserting that the new bufflen after grow does not
exceed BLOB_ATTR_LEN_MASK.

Signed-off-by: Zefir Kurtisi <zefir.kurtisi at gmail.com>
---
 blob.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/blob.c b/blob.c
index 433becb..bd66d78 100644
--- a/blob.c
+++ b/blob.c
@@ -58,6 +58,8 @@ blob_buf_grow(struct blob_buf *buf, int required)
 {
 	int offset_head = attr_to_offset(buf, buf->head);
 
+	if ((buf->buflen + required) > BLOB_ATTR_LEN_MASK)
+		return false;
 	if (!buf->grow || !buf->grow(buf, required))
 		return false;
 
-- 
2.17.1




More information about the openwrt-devel mailing list