Found by fuzzer:
ERROR: AddressSanitizer: SEGV on unknown address 0x602100000455
The signal is caused by a READ memory access.
#0 in blob_check_type blob.c:214:43
#1 in blob_parse_attr blob.c:234:9
#2 in blob_parse_untrusted blob.c:272:12
#3 in fuzz_blob_parse tests/fuzzer/test-blob-parse-fuzzer.c:34:2
#4 in LLVMFuzzerTestOneInput tests/fuzzer/test-blob-parse-fuzzer.c:39:2
Caused by following line:
if (type == BLOB_ATTR_STRING && data[len - 1] != 0)
where len was pointing outside of the data buffer.
Signed-off-by: Petr Štetiar <yn...@true.cz>
---
blob.c | 23 ++++++++++++++----
tests/cram/test_blob_parse.t | 2 ++
...h-333757b203a44751d3535f24b05f467183a96d09 | Bin 0 -> 10 bytes
3 files changed, 20 insertions(+), 5 deletions(-)
create mode 100644
tests/fuzz/corpus/crash-333757b203a44751d3535f24b05f467183a96d09
diff --git a/blob.c b/blob.c
index dc908d9ea745..528e717615d6 100644
--- a/blob.c
+++ b/blob.c
@@ -218,20 +218,33 @@ blob_check_type(const void *ptr, unsigned int len, int
type)
}
static int
-blob_parse_attr(struct blob_attr *attr, struct blob_attr **data, const struct
blob_attr_info *info, int max)
+blob_parse_attr(struct blob_attr *attr, size_t attr_len, struct blob_attr
**data, const struct blob_attr_info *info, int max)
{
+ int id;
+ size_t len;
int found = 0;
- int id = blob_id(attr);
- size_t len = blob_len(attr);
+ size_t data_len;
+ if (!attr || attr_len < sizeof(struct blob_attr))
+ return 0;
+
+ id = blob_id(attr);
if (id >= max)
return 0;
+ len = blob_raw_len(attr);
+ if (len > attr_len || len < sizeof(struct blob_attr))
+ return 0;
+
+ data_len = blob_len(attr);
+ if (data_len > len)
+ return 0;
+
if (info) {
int type = info[id].type;
if (type < BLOB_ATTR_LAST) {
- if (!blob_check_type(blob_data(attr), len, type))
+ if (!blob_check_type(blob_data(attr), data_len, type))
return 0;
}
@@ -285,7 +298,7 @@ blob_parse(struct blob_attr *attr, struct blob_attr **data,
const struct blob_at
memset(data, 0, sizeof(struct blob_attr *) * max);
blob_for_each_attr(pos, attr, rem) {
- found += blob_parse_attr(pos, data, info, max);
+ found += blob_parse_attr(pos, rem, data, info, max);
}
return found;
diff --git a/tests/cram/test_blob_parse.t b/tests/cram/test_blob_parse.t
index 77d8bdd858b6..1fd60bc71122 100644
--- a/tests/cram/test_blob_parse.t
+++ b/tests/cram/test_blob_parse.t
@@ -56,6 +56,8 @@ check that blob_parse is producing expected results:
cannot parse cert c42ac1c46f1d4e211c735cc7dfad4ff8391110e9
cannot parse cert crash-1b8fb1be45db3aff7699100f497fb74138f3df4f
cannot parse cert crash-1b8fb1be45db3aff7699100f497fb74138f3df4f
+ cannot parse cert crash-333757b203a44751d3535f24b05f467183a96d09
+ cannot parse cert crash-333757b203a44751d3535f24b05f467183a96d09
cannot parse cert crash-4c4d2c3c9ade5da9347534e290305c3b9760f627
cannot parse cert crash-4c4d2c3c9ade5da9347534e290305c3b9760f627
cannot parse cert crash-5e9937b197c88bf4e7b7ee2612456cad4cb83f5b
diff --git a/tests/fuzz/corpus/crash-333757b203a44751d3535f24b05f467183a96d09
b/tests/fuzz/corpus/crash-333757b203a44751d3535f24b05f467183a96d09
new file mode 100644
index
0000000000000000000000000000000000000000..b9a958e08d457aaeb05102bb0d654428ffca161e
GIT binary patch
literal 10
RcmZQzVBlh6U|=$10002a07U=*
literal 0
HcmV?d00001
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
