Rafał Miłecki [2020-05-25 10:31:06]:
Hi,
> From: Rafał Miłecki
>
> After more reviews is seems that blobmsg_for_each_attr() should not be
> used when dealing with untrusted data as it reads length from blob data
> itself. It means it can't be used in the blobmsg_check_array_len().
>
> Switch
Felix Fietkau [2020-05-25 10:51:36]:
Hi,
> I think your previous fix is completely fine as-is.
just FYI Rafał's fix triggered fuzzer CI failure[1], regression, I'm able to
reproduce it localy so it's not false positive. So perhaps there's some
additional check missing somewhere?
$ echo
On 2020-05-25 10:31, Rafał Miłecki wrote:
> From: Rafał Miłecki
>
> After more reviews is seems that blobmsg_for_each_attr() should not be
> used when dealing with untrusted data as it reads length from blob data
> itself. It means it can't be used in the blobmsg_check_array_len().
>
> Switch
From: Rafał Miłecki
After more reviews is seems that blobmsg_for_each_attr() should not be
used when dealing with untrusted data as it reads length from blob data
itself. It means it can't be used in the blobmsg_check_array_len().
Switch back to using __blobmsg_for_each_attr() BUT pass correct
