Ensure blob_attr length check does not perform out of bounds reads

Before there might have been as little as one single byte left which would result in 3 bytes of blob_attr->id_len being out of bounds. Acked-by: Yousong Zhou <yszhou4tech@gmail.com> Signed-off-by: Tobias Schramm <tobleminer@gmail.com> [line wrapped < 72 chars] Signed-off-by: Petr Štetiar <ynezz@true.cz>
author: Tobias Schramm <tobleminer@gmail.com> 2018-11-28 15:39:29 +0300
committer: Petr Štetiar <ynezz@true.cz> 2019-12-25 12:31:58 +0300
commit: 143303149c8b87fec76b7f2f4b365baae1e18d2c (patch)
tree: 5dcaaa49258490a8acdbc04f46c31874cfe8d887 /blobmsg.h
parent: f2b2ee441adb22bdcab7247589545eb27c941d78 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/blobmsg.h b/blobmsg.h
index 0af0878..00e0fdc 100644
--- a/blobmsg.h
+++ b/blobmsg.h
@@ -266,7 +266,7 @@ int blobmsg_printf(struct blob_buf *buf, const char *name, const char *format, .
 #define blobmsg_for_each_attr(pos, attr, rem) \
 	for (rem = attr ? blobmsg_data_len(attr) : 0, \
 	     pos = (struct blob_attr *) (attr ? blobmsg_data(attr) : NULL); \
-	     rem > 0 && (blob_pad_len(pos) <= rem) && \
+	     rem >= sizeof(struct blob_attr) && (blob_pad_len(pos) <= rem) && \
 	     (blob_pad_len(pos) >= sizeof(struct blob_attr)); \
 	     rem -= blob_pad_len(pos), pos = blob_next(pos))
author	Tobias Schramm <tobleminer@gmail.com>	2018-11-28 15:39:29 +0300
committer	Petr Štetiar <ynezz@true.cz>	2019-12-25 12:31:58 +0300
commit	143303149c8b87fec76b7f2f4b365baae1e18d2c (patch)
tree	5dcaaa49258490a8acdbc04f46c31874cfe8d887 /blobmsg.h
parent	f2b2ee441adb22bdcab7247589545eb27c941d78 (diff)