On 1/26/20 4:14 PM, Hauke Mehrtens wrote:
> This extends the blob_parse() function to check that no inner attribute
> is bigger than the outside attribute. The blob_parse_untrusted() should
> be used when we know the size of blob_attr *attr, in some other way.
>
> Signed-off-by: Hauke Mehrtens <ha...@hauke-m.de>
> ---
> blob.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/blob.c b/blob.c
> index 528e717..0ed6c80 100644
> --- a/blob.c
> +++ b/blob.c
> @@ -295,9 +295,10 @@ blob_parse(struct blob_attr *attr, struct blob_attr
> **data, const struct blob_at
> struct blob_attr *pos;
> int found = 0;
> size_t rem;
> + size_t len = blob_raw_len(attr);
>
> memset(data, 0, sizeof(struct blob_attr *) * max);
> - blob_for_each_attr(pos, attr, rem) {
> + blob_for_each_attr_len(pos, attr, len, rem) {
> found += blob_parse_attr(pos, rem, data, info, max);
> }
>
>
I checked the code again more closely and I think it is already doing
something similar in blob_for_each_attr_len(). rem is initialized with
blob_len(attr).
#define blob_for_each_attr_len(pos, attr, attr_len, rem) \
for (rem = attr ? blob_len(attr) : 0, \
pos = (struct blob_attr *) (attr ? blob_data(attr) : NULL); \
rem >= sizeof(struct blob_attr) && rem < attr_len &&
(blob_pad_len(pos) <= rem) && \
(blob_pad_len(pos) >= sizeof(struct blob_attr)); \
rem -= blob_pad_len(pos), pos = blob_next(pos))
Hauke
signature.asc
Description: OpenPGP digital signature
_______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
