[OpenWrt-Devel] [PATCH libubox 15/20] blobmsg: fix heap buffer overflow in blobmsg_parse

Petr Štetiar Thu, 19 Dec 2019 14:03:31 -0800

Fixes following error found by the fuzzer:

 ==29774==ERROR: AddressSanitizer: heap-buffer-overflow
 READ of size 1 at 0x6020004f1c56 thread T0
     #0 strcmp sanitizer_common_interceptors.inc:442:3
     #1 blobmsg_parse blobmsg.c:168:8


Signed-off-by: Petr Štetiar <yn...@true.cz>
---
 blobmsg.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/blobmsg.c b/blobmsg.c
index 1a8b783e9ba9..71d4a36a647c 100644
--- a/blobmsg.c
+++ b/blobmsg.c
@@ -53,6 +53,9 @@ bool blobmsg_check_attr(const struct blob_attr *attr, bool 
name)
 
        id = blob_id(attr);
        len = blobmsg_data_len(attr);
+       if (len > blob_raw_len(attr))
+               return false;
+
        data = blobmsg_data(attr);
 
        if (id > BLOBMSG_TYPE_LAST)

_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

[OpenWrt-Devel] [PATCH libubox 15/20] blobmsg: fix heap buffer overflow in blobmsg_parse

Reply via email to