[PATCH 1/2] tests: add blob-buffer overflow test

Zefir Kurtisi zefir.kurtisi at gmail.com
Fri Apr 23 18:48:00 BST 2021


The blob buffer has no limitation in place
to prevent buflen to exceed maximum size.

This commit adds a test to demonstrate how
a blob increases past the maximum allowd
size of 16MB. It continuously adds chunks
of 64KB and with the 255th one blob_add()
returns a valid attribute pointer but the
blob's buflen does not increase.

The test is used to demonstrate the
failure, which is fixed with a follow-up
commit.

Signed-off-by: Zefir Kurtisi <zefir.kurtisi at gmail.com>
---
 tests/test-blob-buffer.c | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)
 create mode 100644 tests/test-blob-buffer.c

diff --git a/tests/test-blob-buffer.c b/tests/test-blob-buffer.c
new file mode 100644
index 0000000..ee2f8a2
--- /dev/null
+++ b/tests/test-blob-buffer.c
@@ -0,0 +1,32 @@
+#include <stdio.h>
+
+#include "blobmsg.h"
+
+/* chunks of 64KB to be added to blob-buffer */
+#define BUFF_SIZE	0x10000
+/* exceed maximum blob buff-length */
+#define BUFF_CHUNKS	(((BLOB_ATTR_LEN_MASK + 1) / BUFF_SIZE) + 1)
+
+int main(int argc, char **argv)
+{
+	int i;
+	static struct blob_buf buf;
+	blobmsg_buf_init(&buf);
+	int prev_len = buf.buflen;
+
+	for (i = 0; i < BUFF_CHUNKS; i++) {
+		struct blob_attr *attr = blob_new(&buf, 0, BUFF_SIZE);
+		if (!attr) {
+			fprintf(stderr, "SUCCESS: failed to allocate attribute\n");
+			break;
+		}
+		fprintf(stderr, "i=%d, len=%d, buff=%p\n", i, buf.buflen, attr);
+		if (prev_len < buf.buflen) {
+			prev_len = buf.buflen;
+			continue;
+		}
+		fprintf(stderr, "ERROR: buffer length did not increase\n");
+		return -1;
+	}
+	return 0;
+}
-- 
2.17.1




More information about the openwrt-devel mailing list