The current implementation of the blob buffer misses a mechanism to prevent the buflen to exceed its maximum allowed size of 16MB (given by BLOB_ATTR_LEN_MASK). Instead of aborting and returning false in blob_buf_grow() when the limit is reached, blob_add() succeeds providing valid blob_attr pointers without increasing the blob's buflen.
This series provides two commits with * the first one adding a simple test to demonstrate the effect * the second providing the fix NOTE: obviously having blobs with buffers of more than 16MB does not really make sense, especially in embedded systems. The issue was detected not by working with huge buffers, but within a loop expanding the blob buffer until blob_add() returned NULL, which actually never happened. Zefir Kurtisi (2): tests: add blob-buffer overflow test blob: fix exceeding maximum buffer length blob.c | 2 ++ tests/test-blob-buffer.c | 32 ++++++++++++++++++++++++++++++++ 2 files changed, 34 insertions(+) create mode 100644 tests/test-blob-buffer.c -- 2.17.1 _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
