package/libs/libubox/patches/0020-blobmsg-simplify-and-fix-name-length-checks-in-blobm.patch

   1 From 639c29d19717616b809d9a1e9042461ab8024370 Mon Sep 17 00:00:00 2001
   2 From: Felix Fietkau <nbd@nbd.name>
   3 Date: Mon, 25 May 2020 14:49:35 +0200
   4 Subject: [PATCH] blobmsg: simplify and fix name length checks in
   5  blobmsg_check_name
   6
   7 blobmsg_hdr_valid_namelen was omitted when name==false
   8 The blob_len vs blobmsg_namelen changes were not taking into account
   9 potential padding between name and data
  10
  11 Signed-off-by: Felix Fietkau <nbd@nbd.name>
  12 ---
  13  blobmsg.c | 13 ++++---------
  14  1 file changed, 4 insertions(+), 9 deletions(-)
  15
  16 --- a/blobmsg.c
  17 +++ b/blobmsg.c
  18 @@ -54,8 +54,8 @@ static bool blobmsg_hdr_valid_namelen(co
  19
  20  static bool blobmsg_check_name(const struct blob_attr *attr, size_t len, bool name)
  21  {
  22 -       char *limit = (char *) attr + len;
  23         const struct blobmsg_hdr *hdr;
  24 +       uint16_t namelen;
  25
  26         hdr = blobmsg_hdr_from_blob(attr, len);
  27         if (!hdr)
  28 @@ -64,16 +64,11 @@ static bool blobmsg_check_name(const str
  29         if (name && !hdr->namelen)
  30                 return false;
  31
  32 -       if (name && !blobmsg_hdr_valid_namelen(hdr, len))
  33 +       namelen = blobmsg_namelen(hdr);
  34 +       if (blob_len(attr) < (size_t)blobmsg_hdrlen(namelen))
  35                 return false;
  36
  37 -       if ((char *) hdr->name + blobmsg_namelen(hdr) + 1 > limit)
  38 -               return false;
  39 -
  40 -       if (blobmsg_namelen(hdr) > (blob_len(attr) - sizeof(struct blobmsg_hdr)))
  41 -               return false;
  42 -
  43 -       if (hdr->name[blobmsg_namelen(hdr)] != 0)
  44 +       if (hdr->name[namelen] != 0)
  45                 return false;
  46
  47         return true;