[OpenWrt-Devel] [PATCH RFC libubox] blobmsg: another attrs iteration fix for blobmsg_check_array_len()
Rafał Miłecki
zajec5 at gmail.com
Mon May 25 04:31:06 EDT 2020
From: Rafał Miłecki <rafal at milecki.pl>
After more reviews is seems that blobmsg_for_each_attr() should not be
used when dealing with untrusted data as it reads length from blob data
itself. It means it can't be used in the blobmsg_check_array_len().
Switch back to using __blobmsg_for_each_attr() BUT pass correct length
to it. Calculate it by subtracting header length from blob length.
Signed-off-by: Rafał Miłecki <rafal at milecki.pl>
---
blobmsg.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/blobmsg.c b/blobmsg.c
index 59045e1..2295aaa 100644
--- a/blobmsg.c
+++ b/blobmsg.c
@@ -142,7 +142,8 @@ int blobmsg_check_array_len(const struct blob_attr *attr, int type,
return -1;
}
- blobmsg_for_each_attr(cur, attr, rem) {
+ rem = blob_len - ((uint8_t *)blobmsg_data(attr) - (uint8_t *)blob_data(attr));
+ __blobmsg_for_each_attr(cur, attr, rem) {
if (type != BLOBMSG_TYPE_UNSPEC && blobmsg_type(cur) != type)
return -1;
--
2.26.1
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list