From 591a1e349f94a4a69dea0c0bb04919a41367c009 Mon Sep 17 00:00:00 2001
From: Felix Fietkau <nbd@openwrt.org>
Date: Mon, 3 Oct 2011 12:36:46 +0200
Subject: fix reads beyond the end of the buffer when iterating over blob
 attributes

---
 blob.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'blob.h')

diff --git a/blob.h b/blob.h
index 10adde8..7f4a46a 100644
--- a/blob.h
+++ b/blob.h
@@ -258,14 +258,14 @@ blob_put_int64(struct blob_buf *buf, int id, uint64_t val)
 
 #define __blob_for_each_attr(pos, attr, rem) \
 	for (pos = (void *) attr; \
-		 (blob_pad_len(pos) <= rem) && \
+		 rem > 0 && (blob_pad_len(pos) <= rem) && \
 		 (blob_pad_len(pos) >= sizeof(struct blob_attr)); \
 		 rem -= blob_pad_len(pos), pos = blob_next(pos))
 
 
 #define blob_for_each_attr(pos, attr, rem) \
 	for (rem = blob_len(attr), pos = blob_data(attr); \
-		 (blob_pad_len(pos) <= rem) && \
+		 rem > 0 && (blob_pad_len(pos) <= rem) && \
 		 (blob_pad_len(pos) >= sizeof(struct blob_attr)); \
 		 rem -= blob_pad_len(pos), pos = blob_next(pos))
 
-- 
cgit v1.2.3