[OpenWrt-Devel] [PATCH][libubox] blobmsg: blobmsg_parse and blobmsg_parse_array oob read fixes
Petr Štetiar
ynezz at true.cz
Mon Jan 20 06:08:55 EST 2020
Juraj Vijtiuk <juraj.vijtiuk at sartura.hr> [2020-01-14 22:11:18]:
Hi,
I just sent v2 for review[2], can you check it please?
> > > @@ -191,7 +197,11 @@ int blobmsg_parse(const struct blobmsg_policy *policy, int policy_len,
> > > }
> > >
> > > __blob_for_each_attr(attr, data, len) {
> > > + if (len < sizeof(struct blob_attr) + sizeof(struct blobmsg_hdr))
> > > + return -1;
> >
> > If there is such problem, then this should be probably fixed directly in
> > __blob_for_each_attr so we possibly protect other __blob_for_each_attr
> > users[1].
>
> Can you maybe provide a patch? I'd be happy to test it and let you
> know what the results are.
Seems like I need more time on this, to come up with some meaningful solution
(it's blob related function, but it would need to check blobmsg etc.), I've
just prepared some common helper functions which should help. I don't want to
block this changes just because of that. I'll try to add you to the Cc: in
that follow up patch.
1. https://patchwork.ozlabs.org/patch/1225878/
-- ynezz
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list