diff options
| author | Hauke Mehrtens | 2025-10-13 21:59:33 +0000 |
|---|---|---|
| committer | Felix Fietkau | 2025-10-14 10:15:17 +0000 |
| commit | d31effb4277bd557f5ccf16d909422718c1e49d0 (patch) | |
| tree | 8ca54b8bf97f899f0fbff0cf544c6cdd149a344f | |
| parent | 83a70399030dd6e97b650b11ba570b6c896feb6d (diff) | |
| download | ubus-d31effb4277bd557f5ccf16d909422718c1e49d0.tar.gz | |
ubusd: Fix out of bounds access in event register message
The code assumes that the provided pattern is at least one byte long.
reject shorter patterns.
Empty messages could lead to heap corruptions and ubusd_acl_check()
bypass.
Reported-by: Karsten Sperling <ksperling@apple.com>
Fixes: 12623b43060a ("trim the wildcard of partial patterns to keep the avl tree sorted properly")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
| -rw-r--r-- | ubusd_event.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/ubusd_event.c b/ubusd_event.c index 15932a9..09c53dd 100644 --- a/ubusd_event.c +++ b/ubusd_event.c @@ -84,6 +84,9 @@ static int ubusd_alloc_event_pattern(struct ubus_client *cl, struct blob_attr *m pattern = blobmsg_data(attr[EVREG_PATTERN]); len = strlen(pattern); + if (len <= 0) + return UBUS_STATUS_PERMISSION_DENIED; + if (pattern[len - 1] == '*') { partial = true; pattern[len - 1] = 0; |