Rafał Miłecki <zaj...@gmail.com> [2020-05-25 10:31:06]:
Hi,
> From: Rafał Miłecki <ra...@milecki.pl>
>
> After more reviews is seems that blobmsg_for_each_attr() should not be
> used when dealing with untrusted data as it reads length from blob data
> itself. It means it can't be used in the blobmsg_check_array_len().
>
> Switch back to using __blobmsg_for_each_attr() BUT pass correct length
> to it. Calculate it by subtracting header length from blob length.
>
> Signed-off-by: Rafał Miłecki <ra...@milecki.pl>
> ---
> blobmsg.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/blobmsg.c b/blobmsg.c
> index 59045e1..2295aaa 100644
> --- a/blobmsg.c
> +++ b/blobmsg.c
> @@ -142,7 +142,8 @@ int blobmsg_check_array_len(const struct blob_attr *attr,
> int type,
> return -1;
> }
>
> - blobmsg_for_each_attr(cur, attr, rem) {
> + rem = blob_len - ((uint8_t *)blobmsg_data(attr) - (uint8_t
> *)blob_data(attr));
looks like blobmsg_data_len()?
> + __blobmsg_for_each_attr(cur, attr, rem) {
> if (type != BLOBMSG_TYPE_UNSPEC && blobmsg_type(cur) != type)
> return -1;
-- ynezz
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
