From b0e21553ae8c58d5db8103a0ea4d6095c6e4fe07 Mon Sep 17 00:00:00 2001 From: Tobias Schramm Date: Thu, 15 Nov 2018 03:42:48 +0100 Subject: blobmsg: add _len variants for all attribute checking methods MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Introduce _len variants of blobmsg attribute checking functions which aims to provide safer implementation as those functions should limit all memory accesses performed on the blob to the range [attr, attr + len] (upper bound non inclusive) and thus should be suited for checking of untrusted blob attributes. While at it add some comments in order to make it clear. Signed-off-by: Tobias Schramm [_safe -> _len, blobmsg_check_array_len fix, commit subject/desc facelift] Signed-off-by: Petr Štetiar --- blobmsg.c | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) (limited to 'blobmsg.c') diff --git a/blobmsg.c b/blobmsg.c index fbc6d2d..7cd0934 100644 --- a/blobmsg.c +++ b/blobmsg.c @@ -100,12 +100,22 @@ bool blobmsg_check_attr_len(const struct blob_attr *attr, bool name, size_t len) } int blobmsg_check_array(const struct blob_attr *attr, int type) +{ + return blobmsg_check_array_len(attr, type, blob_raw_len(attr)); +} + +int blobmsg_check_array_len(const struct blob_attr *attr, int type, size_t len) { struct blob_attr *cur; bool name; - size_t rem; int size = 0; + if (type > BLOBMSG_TYPE_LAST) + return -1; + + if (!blobmsg_check_attr_len(attr, false, len)) + return -1; + switch (blobmsg_type(attr)) { case BLOBMSG_TYPE_TABLE: name = true; @@ -117,11 +127,11 @@ int blobmsg_check_array(const struct blob_attr *attr, int type) return -1; } - blobmsg_for_each_attr(cur, attr, rem) { + __blobmsg_for_each_attr(cur, attr, len) { if (type != BLOBMSG_TYPE_UNSPEC && blobmsg_type(cur) != type) return -1; - if (!blobmsg_check_attr(cur, name)) + if (!blobmsg_check_attr_len(cur, name, len)) return -1; size++; @@ -135,6 +145,11 @@ bool blobmsg_check_attr_list(const struct blob_attr *attr, int type) return blobmsg_check_array(attr, type) >= 0; } +bool blobmsg_check_attr_list_len(const struct blob_attr *attr, int type, size_t len) +{ + return blobmsg_check_array_len(attr, type, len) >= 0; +} + int blobmsg_parse_array(const struct blobmsg_policy *policy, int policy_len, struct blob_attr **tb, void *data, unsigned int len) { -- cgit v1.2.3