blob_parse can be only used on trusted input as it has no possibility to
check the length of the provided input buffer, which might lead to
undefined behaviour and/or crashes when supplied with malformed,
corrupted or otherwise specially crafted input.
So this introduces blob_parse_untrusted variant which expects additional
input buffer length argument and thus should be able to process also
inputs from untrusted sources.
Signed-off-by: Petr Štetiar <yn...@true.cz>
---
blob.c | 24 ++++++++++++++++++++++++
blob.h | 7 +++++++
2 files changed, 31 insertions(+)
diff --git a/blob.c b/blob.c
index ee93894b9e6f..dc908d9ea745 100644
--- a/blob.c
+++ b/blob.c
@@ -252,6 +252,30 @@ blob_parse_attr(struct blob_attr *attr, struct blob_attr
**data, const struct bl
return found;
}
+int
+blob_parse_untrusted(struct blob_attr *attr, size_t attr_len, struct blob_attr
**data, const struct blob_attr_info *info, int max)
+{
+ struct blob_attr *pos;
+ size_t len = 0;
+ int found = 0;
+ size_t rem;
+
+ if (!attr || attr_len < sizeof(struct blob_attr))
+ return 0;
+
+ len = blob_raw_len(attr);
+ if (len != attr_len)
+ return 0;
+
+ memset(data, 0, sizeof(struct blob_attr *) * max);
+ blob_for_each_attr_len(pos, attr, len, rem) {
+ found += blob_parse_attr(pos, rem, data, info, max);
+ }
+
+ return found;
+}
+
+/* use only on trusted input, otherwise consider blob_parse_untrusted */
int
blob_parse(struct blob_attr *attr, struct blob_attr **data, const struct
blob_attr_info *info, int max)
{
diff --git a/blob.h b/blob.h
index d34652229b59..af033607e309 100644
--- a/blob.h
+++ b/blob.h
@@ -199,6 +199,7 @@ extern void blob_nest_end(struct blob_buf *buf, void
*cookie);
extern struct blob_attr *blob_put(struct blob_buf *buf, int id, const void
*ptr, unsigned int len);
extern bool blob_check_type(const void *ptr, unsigned int len, int type);
extern int blob_parse(struct blob_attr *attr, struct blob_attr **data, const
struct blob_attr_info *info, int max);
+extern int blob_parse_untrusted(struct blob_attr *attr, size_t attr_len,
struct blob_attr **data, const struct blob_attr_info *info, int max);
extern struct blob_attr *blob_memdup(struct blob_attr *attr);
extern struct blob_attr *blob_put_raw(struct blob_buf *buf, const void *ptr,
unsigned int len);
@@ -254,5 +255,11 @@ blob_put_u64(struct blob_buf *buf, int id, uint64_t val)
(blob_pad_len(pos) >= sizeof(struct blob_attr)); \
rem -= blob_pad_len(pos), pos = blob_next(pos))
+#define blob_for_each_attr_len(pos, attr, attr_len, rem) \
+ for (rem = attr ? blob_len(attr) : 0, \
+ pos = (struct blob_attr *) (attr ? blob_data(attr) : NULL); \
+ rem >= sizeof(struct blob_attr) && rem < attr_len &&
(blob_pad_len(pos) <= rem) && \
+ (blob_pad_len(pos) >= sizeof(struct blob_attr)); \
+ rem -= blob_pad_len(pos), pos = blob_next(pos))
#endif
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
