fix reads beyond the end of the buffer when iterating over blob attributes

diff --git a/blob.h b/blob.h
index 10adde87c0784dff18c3732e2223d41e57a691d2..7f4a46ab405b9d7aaddfac6f8401d056d56888b4 100644 (file)
--- a/blob.h
+++ b/blob.h
@@ -258,14 +258,14 @@ blob_put_int64(struct blob_buf *buf, int id, uint64_t val)
 
 #define __blob_for_each_attr(pos, attr, rem) \
        for (pos = (void *) attr; \
-                (blob_pad_len(pos) <= rem) && \
+                rem > 0 && (blob_pad_len(pos) <= rem) && \
                 (blob_pad_len(pos) >= sizeof(struct blob_attr)); \
                 rem -= blob_pad_len(pos), pos = blob_next(pos))
 
 
 #define blob_for_each_attr(pos, attr, rem) \
        for (rem = blob_len(attr), pos = blob_data(attr); \
-                (blob_pad_len(pos) <= rem) && \
+                rem > 0 && (blob_pad_len(pos) <= rem) && \
                 (blob_pad_len(pos) >= sizeof(struct blob_attr)); \
                 rem -= blob_pad_len(pos), pos = blob_next(pos))
 

diff --git a/blobmsg.h b/blobmsg.h
index a63fcadd992e8f0b3f1d940dd9a60c88f29d3190..f2ab007546d95547709d3e8e46b3e5c180177455 100644 (file)
--- a/blobmsg.h
+++ b/blobmsg.h
@@ -177,7 +177,7 @@ void blobmsg_add_string_buffer(struct blob_buf *buf);
 
 #define blobmsg_for_each_attr(pos, attr, rem) \
        for (rem = blobmsg_data_len(attr), pos = blobmsg_data(attr); \
-                (blob_pad_len(pos) <= rem) && \
+                rem > 0 && (blob_pad_len(pos) <= rem) && \
                 (blob_pad_len(pos) >= sizeof(struct blob_attr)); \
                 rem -= blob_pad_len(pos), pos = blob_next(pos))