blobmsg: fix heap buffer overflow in blobmsg_parse

Fixes following error found by the fuzzer: ==29774==ERROR: AddressSanitizer: heap-buffer-overflow READ of size 1 at 0x6020004f1c56 thread T0 #0 strcmp sanitizer_common_interceptors.inc:442:3 #1 blobmsg_parse blobmsg.c:168:8 Signed-off-by: Petr Štetiar <ynezz@true.cz>
author: Petr Štetiar <ynezz@true.cz> 2019-12-10 14:02:40 +0300
committer: Petr Štetiar <ynezz@true.cz> 2019-12-25 12:31:58 +0300
commit: f2b2ee441adb22bdcab7247589545eb27c941d78 (patch)
tree: fc945955ebe6d4d36d1b4fb4e5ec5a4d89c103fe /blobmsg.c
parent: 4dfd24ed88c4d721d2b26d478b9ada86395d0554 (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/blobmsg.c b/blobmsg.c
index 1a8b783..71d4a36 100644
--- a/blobmsg.c
+++ b/blobmsg.c
@@ -53,6 +53,9 @@ bool blobmsg_check_attr(const struct blob_attr *attr, bool name)
 
 	id = blob_id(attr);
 	len = blobmsg_data_len(attr);
+	if (len > blob_raw_len(attr))
+		return false;
+
 	data = blobmsg_data(attr);
 
 	if (id > BLOBMSG_TYPE_LAST)
author	Petr Štetiar <ynezz@true.cz>	2019-12-10 14:02:40 +0300
committer	Petr Štetiar <ynezz@true.cz>	2019-12-25 12:31:58 +0300
commit	f2b2ee441adb22bdcab7247589545eb27c941d78 (patch)
tree	fc945955ebe6d4d36d1b4fb4e5ec5a4d89c103fe /blobmsg.c
parent	4dfd24ed88c4d721d2b26d478b9ada86395d0554 (diff)