From f2b2ee441adb22bdcab7247589545eb27c941d78 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C5=A0tetiar?= <ynezz@true.cz>
Date: Tue, 10 Dec 2019 12:02:40 +0100
Subject: blobmsg: fix heap buffer overflow in blobmsg_parse
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fixes following error found by the fuzzer:

 ==29774==ERROR: AddressSanitizer: heap-buffer-overflow
 READ of size 1 at 0x6020004f1c56 thread T0
     #0 strcmp sanitizer_common_interceptors.inc:442:3
     #1 blobmsg_parse blobmsg.c:168:8

Signed-off-by: Petr Štetiar <ynezz@true.cz>
---
 blobmsg.c | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'blobmsg.c')

diff --git a/blobmsg.c b/blobmsg.c
index 1a8b783..71d4a36 100644
--- a/blobmsg.c
+++ b/blobmsg.c
@@ -53,6 +53,9 @@ bool blobmsg_check_attr(const struct blob_attr *attr, bool name)
 
 	id = blob_id(attr);
 	len = blobmsg_data_len(attr);
+	if (len > blob_raw_len(attr))
+		return false;
+
 	data = blobmsg_data(attr);
 
 	if (id > BLOBMSG_TYPE_LAST)
-- 
cgit v1.2.3