Currently there is no measure in place to prevent the blob buffer
to exceed its maximum allowed length of 16MB. Continuously
calling blob_add() will expand the buffer until it exceeds
BLOB_ATTR_LEN_MASK and after that will return valid blob_attr
pointer without increasing the buflen.
A test program was added in the previous commit, this one fixes
the issue by asserting that the new bufflen after grow does not
exceed BLOB_ATTR_LEN_MASK.
Signed-off-by: Zefir Kurtisi <zefir.kurt...@gmail.com>
---
blob.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/blob.c b/blob.c
index 433becb..bd66d78 100644
--- a/blob.c
+++ b/blob.c
@@ -58,6 +58,8 @@ blob_buf_grow(struct blob_buf *buf, int required)
{
int offset_head = attr_to_offset(buf, buf->head);
+ if ((buf->buflen + required) > BLOB_ATTR_LEN_MASK)
+ return false;
if (!buf->grow || !buf->grow(buf, required))
return false;
--
2.17.1
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
