tests: add blob-buffer overflow test

The blob buffer has no limitation in place
to prevent buflen to exceed maximum size.

This commit adds a test to demonstrate how
a blob increases past the maximum allowd
size of 16MB. It continuously adds chunks
of 64KB and with the 255th one blob_add()
returns a valid attribute pointer but the
blob's buflen does not increase.

The test is used to demonstrate the
failure, which is fixed with a follow-up
commit.

Signed-off-by: Zefir Kurtisi <zefir.kurtisi@gmail.com>
[adjusted test case for cram usage]
Signed-off-by: Petr Štetiar <ynezz@true.cz>

diff --git a/tests/cram/test_blob_buflen.t b/tests/cram/test_blob_buflen.t
new file mode 100644 (file)
index 0000000..986e476
--- /dev/null
+++ b/tests/cram/test_blob_buflen.t
@@ -0,0 +1,9 @@
+check that blob buffer cannot exceed maximum buffer length:
+
+  $ [ -n "$TEST_BIN_DIR" ] && export PATH="$TEST_BIN_DIR:$PATH"
+
+  $ valgrind --quiet --leak-check=full test-blob-buflen
+  SUCCESS: failed to allocate attribute
+
+  $ test-blob-buflen-san
+  SUCCESS: failed to allocate attribute

diff --git a/tests/test-blob-buflen.c b/tests/test-blob-buflen.c
new file mode 100644 (file)
index 0000000..45ea379
--- /dev/null
+++ b/tests/test-blob-buflen.c
@@ -0,0 +1,31 @@
+#include <stdio.h>
+
+#include "blobmsg.h"
+
+/* chunks of 64KB to be added to blob-buffer */
+#define BUFF_SIZE      0x10000
+/* exceed maximum blob buff-length */
+#define BUFF_CHUNKS    (((BLOB_ATTR_LEN_MASK + 1) / BUFF_SIZE) + 1)
+
+int main(int argc, char **argv)
+{
+       int i;
+       static struct blob_buf buf;
+       blobmsg_buf_init(&buf);
+       int prev_len = buf.buflen;
+
+       for (i = 0; i < BUFF_CHUNKS; i++) {
+               struct blob_attr *attr = blob_new(&buf, 0, BUFF_SIZE);
+               if (!attr) {
+                       fprintf(stderr, "SUCCESS: failed to allocate attribute\n");
+                       break;
+               }
+               if (prev_len < buf.buflen) {
+                       prev_len = buf.buflen;
+                       continue;
+               }
+               fprintf(stderr, "ERROR: buffer length did not increase\n");
+               return -1;
+       }
+       return 0;
+}