From a0dbcf8b8f966ce8a358afe555bb75401ef1e9be Mon Sep 17 00:00:00 2001 From: Zefir Kurtisi Date: Fri, 23 Apr 2021 19:48:00 +0200 Subject: tests: add blob-buffer overflow test MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The blob buffer has no limitation in place to prevent buflen to exceed maximum size. This commit adds a test to demonstrate how a blob increases past the maximum allowd size of 16MB. It continuously adds chunks of 64KB and with the 255th one blob_add() returns a valid attribute pointer but the blob's buflen does not increase. The test is used to demonstrate the failure, which is fixed with a follow-up commit. Signed-off-by: Zefir Kurtisi [adjusted test case for cram usage] Signed-off-by: Petr Štetiar --- tests/cram/test_blob_buflen.t | 9 +++++++++ tests/test-blob-buflen.c | 31 +++++++++++++++++++++++++++++++ 2 files changed, 40 insertions(+) create mode 100644 tests/cram/test_blob_buflen.t create mode 100644 tests/test-blob-buflen.c diff --git a/tests/cram/test_blob_buflen.t b/tests/cram/test_blob_buflen.t new file mode 100644 index 0000000..986e476 --- /dev/null +++ b/tests/cram/test_blob_buflen.t @@ -0,0 +1,9 @@ +check that blob buffer cannot exceed maximum buffer length: + + $ [ -n "$TEST_BIN_DIR" ] && export PATH="$TEST_BIN_DIR:$PATH" + + $ valgrind --quiet --leak-check=full test-blob-buflen + SUCCESS: failed to allocate attribute + + $ test-blob-buflen-san + SUCCESS: failed to allocate attribute diff --git a/tests/test-blob-buflen.c b/tests/test-blob-buflen.c new file mode 100644 index 0000000..45ea379 --- /dev/null +++ b/tests/test-blob-buflen.c @@ -0,0 +1,31 @@ +#include + +#include "blobmsg.h" + +/* chunks of 64KB to be added to blob-buffer */ +#define BUFF_SIZE 0x10000 +/* exceed maximum blob buff-length */ +#define BUFF_CHUNKS (((BLOB_ATTR_LEN_MASK + 1) / BUFF_SIZE) + 1) + +int main(int argc, char **argv) +{ + int i; + static struct blob_buf buf; + blobmsg_buf_init(&buf); + int prev_len = buf.buflen; + + for (i = 0; i < BUFF_CHUNKS; i++) { + struct blob_attr *attr = blob_new(&buf, 0, BUFF_SIZE); + if (!attr) { + fprintf(stderr, "SUCCESS: failed to allocate attribute\n"); + break; + } + if (prev_len < buf.buflen) { + prev_len = buf.buflen; + continue; + } + fprintf(stderr, "ERROR: buffer length did not increase\n"); + return -1; + } + return 0; +} -- cgit v1.2.3