Ensure blob_attr length check does not perform out of bounds reads

Before there might have been as little as one single byte left which
would result in 3 bytes of blob_attr->id_len being out of bounds.

Acked-by: Yousong Zhou <yszhou4tech@gmail.com>
Signed-off-by: Tobias Schramm <tobleminer@gmail.com>
[line wrapped < 72 chars]
Signed-off-by: Petr Štetiar <ynezz@true.cz>

1 files changed, 2 insertions, 2 deletions

diff --git a/blob.h b/blob.h
index af03360..6d61876 100644
--- a/blob.h
+++ b/blob.h
@@ -243,7 +243,7 @@ blob_put_u64(struct blob_buf *buf, int id, uint64_t val)
 
 #define __blob_for_each_attr(pos, attr, rem) \
 	for (pos = (struct blob_attr *) attr; \
-	     rem > 0 && (blob_pad_len(pos) <= rem) && \
+	     rem >= sizeof(struct blob_attr) && (blob_pad_len(pos) <= rem) && \
 	     (blob_pad_len(pos) >= sizeof(struct blob_attr)); \
 	     rem -= blob_pad_len(pos), pos = blob_next(pos))
 
@@ -251,7 +251,7 @@ blob_put_u64(struct blob_buf *buf, int id, uint64_t val)
 #define blob_for_each_attr(pos, attr, rem) \
 	for (rem = attr ? blob_len(attr) : 0, \
 	     pos = (struct blob_attr *) (attr ? blob_data(attr) : NULL); \
-	     rem > 0 && (blob_pad_len(pos) <= rem) && \
+	     rem >= sizeof(struct blob_attr) && (blob_pad_len(pos) <= rem) && \
 	     (blob_pad_len(pos) >= sizeof(struct blob_attr)); \
 	     rem -= blob_pad_len(pos), pos = blob_next(pos))