From: Rafał Miłecki <[email protected]> After more reviews is seems that blobmsg_for_each_attr() should not be used when dealing with untrusted data as it reads length from blob data itself. It means it can't be used in the blobmsg_check_array_len().
Switch back to using __blobmsg_for_each_attr() BUT pass correct length to it. Calculate it by subtracting header length from blob length. Signed-off-by: Rafał Miłecki <[email protected]> --- blobmsg.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/blobmsg.c b/blobmsg.c index 59045e1..2295aaa 100644 --- a/blobmsg.c +++ b/blobmsg.c @@ -142,7 +142,8 @@ int blobmsg_check_array_len(const struct blob_attr *attr, int type, return -1; } - blobmsg_for_each_attr(cur, attr, rem) { + rem = blob_len - ((uint8_t *)blobmsg_data(attr) - (uint8_t *)blob_data(attr)); + __blobmsg_for_each_attr(cur, attr, rem) { if (type != BLOBMSG_TYPE_UNSPEC && blobmsg_type(cur) != type) return -1; -- 2.26.1 _______________________________________________ openwrt-devel mailing list [email protected] https://lists.openwrt.org/mailman/listinfo/openwrt-devel
