[PATCH 0/2] blob: detect and fix buflen overflow
Zefir Kurtisi
zefir.kurtisi at gmail.com
Fri Apr 23 18:47:59 BST 2021
The current implementation of the blob buffer misses a mechanism
to prevent the buflen to exceed its maximum allowed size of 16MB
(given by BLOB_ATTR_LEN_MASK). Instead of aborting and returning
false in blob_buf_grow() when the limit is reached, blob_add()
succeeds providing valid blob_attr pointers without increasing
the blob's buflen.
This series provides two commits with
* the first one adding a simple test to demonstrate the effect
* the second providing the fix
NOTE: obviously having blobs with buffers of more than 16MB does
not really make sense, especially in embedded systems. The issue
was detected not by working with huge buffers, but within a loop
expanding the blob buffer until blob_add() returned NULL, which
actually never happened.
Zefir Kurtisi (2):
tests: add blob-buffer overflow test
blob: fix exceeding maximum buffer length
blob.c | 2 ++
tests/test-blob-buffer.c | 32 ++++++++++++++++++++++++++++++++
2 files changed, 34 insertions(+)
create mode 100644 tests/test-blob-buffer.c
--
2.17.1
More information about the openwrt-devel
mailing list