Fix out of bounds read in blobmsg_parse and blobmsg_check_name. The
out of bounds read happens because blob_attr and blobmsg_hdr have
flexible array members, whose size is 0 in the corresponding sizeofs.
For example the __blob_for_each_attr macro checks whether rem >=
sizeof(struct blob_attr). However, what LibFuzzer discovered was,
if the input data was only 4 bytes, the data would be casted to blob_attr,
and later on blob_data(attr) would be called even though attr->data was empty.
The same issue could appear with data larger than 4 bytes, where data
wasn't empty, but contained only the start of the blobmsg_hdr struct,
and blobmsg_hdr name was empty. The bugs were discovered by fuzzing
blobmsg_parse and blobmsg_array_parse with LibFuzzer.
Signed-off-by: Juraj Vijtiuk <juraj.vijt...@sartura.hr>
CC: Luka Perkov <luka.per...@sartura.hr>
diff --git a/blobmsg.c b/blobmsg.c
index 1dd57e1..0988f60 100644
--- a/blobmsg.c
+++ b/blobmsg.c
@@ -35,10 +35,16 @@ static bool blobmsg_check_name(const struct blob_attr
*attr, size_t len, bool na
char *limit = (char *) attr + len;
const struct blobmsg_hdr *hdr;
+ if (len < sizeof(struct blob_attr) + sizeof(struct blobmsg_hdr))
+ return false;
+
hdr = blob_data(attr);
if (name && !hdr->namelen)
return false;
+ if (len < sizeof(struct blob_attr) + sizeof(struct blobmsg_hdr) +
blobmsg_namelen(hdr) + 1)
+ return false;
+
if ((char *) hdr->name + blobmsg_namelen(hdr) > limit)
return false;
@@ -191,7 +197,11 @@ int blobmsg_parse(const struct blobmsg_policy *policy, int
policy_len,
}
__blob_for_each_attr(attr, data, len) {
+ if (len < sizeof(struct blob_attr) + sizeof(struct blobmsg_hdr))
+ return -1;
hdr = blob_data(attr);
+ if (len < sizeof(struct blob_attr) + sizeof(struct blobmsg_hdr)
+ blobmsg_namelen(hdr) + 1)
+ return -1;
for (i = 0; i < policy_len; i++) {
if (!policy[i].name)
continue;
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
