diff options
author | Tobias Schramm <tobleminer@gmail.com> | 2018-11-28 15:39:29 +0300 |
---|---|---|
committer | Petr Štetiar <ynezz@true.cz> | 2019-12-25 12:31:58 +0300 |
commit | 143303149c8b87fec76b7f2f4b365baae1e18d2c (patch) | |
tree | 5dcaaa49258490a8acdbc04f46c31874cfe8d887 /blob.h | |
parent | f2b2ee441adb22bdcab7247589545eb27c941d78 (diff) |
Ensure blob_attr length check does not perform out of bounds reads
Before there might have been as little as one single byte left which
would result in 3 bytes of blob_attr->id_len being out of bounds.
Acked-by: Yousong Zhou <yszhou4tech@gmail.com>
Signed-off-by: Tobias Schramm <tobleminer@gmail.com>
[line wrapped < 72 chars]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Diffstat (limited to 'blob.h')
-rw-r--r-- | blob.h | 4 |
1 files changed, 2 insertions, 2 deletions
@@ -243,7 +243,7 @@ blob_put_u64(struct blob_buf *buf, int id, uint64_t val) #define __blob_for_each_attr(pos, attr, rem) \ for (pos = (struct blob_attr *) attr; \ - rem > 0 && (blob_pad_len(pos) <= rem) && \ + rem >= sizeof(struct blob_attr) && (blob_pad_len(pos) <= rem) && \ (blob_pad_len(pos) >= sizeof(struct blob_attr)); \ rem -= blob_pad_len(pos), pos = blob_next(pos)) @@ -251,7 +251,7 @@ blob_put_u64(struct blob_buf *buf, int id, uint64_t val) #define blob_for_each_attr(pos, attr, rem) \ for (rem = attr ? blob_len(attr) : 0, \ pos = (struct blob_attr *) (attr ? blob_data(attr) : NULL); \ - rem > 0 && (blob_pad_len(pos) <= rem) && \ + rem >= sizeof(struct blob_attr) && (blob_pad_len(pos) <= rem) && \ (blob_pad_len(pos) >= sizeof(struct blob_attr)); \ rem -= blob_pad_len(pos), pos = blob_next(pos)) |