diff options
author | Zefir Kurtisi <zefir.kurtisi@gmail.com> | 2021-04-23 20:48:01 +0300 |
---|---|---|
committer | Petr Štetiar <ynezz@true.cz> | 2021-04-29 16:34:21 +0300 |
commit | b36a3a90098db64a46029355e308897c97fbe13d (patch) | |
tree | e782bcf5e18e80a3998e4b50b16d2655de50956d /blob.c | |
parent | a0dbcf8b8f966ce8a358afe555bb75401ef1e9be (diff) |
blob: fix exceeding maximum buffer length
Currently there is no measure in place to prevent the blob buffer
to exceed its maximum allowed length of 16MB. Continuously
calling blob_add() will expand the buffer until it exceeds
BLOB_ATTR_LEN_MASK and after that will return valid blob_attr
pointer without increasing the buflen.
A test program was added in the previous commit, this one fixes
the issue by asserting that the new bufflen after grow does not
exceed BLOB_ATTR_LEN_MASK.
Signed-off-by: Zefir Kurtisi <zefir.kurtisi@gmail.com>
Diffstat (limited to 'blob.c')
-rw-r--r-- | blob.c | 2 |
1 files changed, 2 insertions, 0 deletions
@@ -58,6 +58,8 @@ blob_buf_grow(struct blob_buf *buf, int required) { int offset_head = attr_to_offset(buf, buf->head); + if ((buf->buflen + required) > BLOB_ATTR_LEN_MASK) + return false; if (!buf->grow || !buf->grow(buf, required)) return false; |