libubox, branch masterC utility functions for OpenWrthttps://git.openwrt.org/project/libubox/atom?h=master2026-05-23T00:06:41Zblob, udebug-remote: silence -Wconversion warnings in trivial cases2026-05-23T00:06:41ZHauke Mehrtens2026-05-21T20:30:38Zurn:sha1:1fe93d2fefb213ec987763e7e94ce5eaa757bfc3
blob.h is included by nearly every translation unit, so the conversions
in its inline helpers were reported over and over:
- blob_id(): hold the masked/shifted id in an unsigned int; the
function already returns unsigned int
- blob_pad_len(): use size_t for the length (matching blob_raw_len())
and an unsigned mask, instead of unsigned int and a signed ~mask
- blob_get_int8/16/32/64(): make the intended reinterpretation of the
unsigned value as signed explicit with a cast
udebug-remote: rb->pcap_iface is a uint32_t, so assign ~0U instead of
the signed ~0 (GCC flagged the latter as changing -1 to 4294967295).
No functional change.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Link: https://github.com/openwrt/libubox/pull/46
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
treewide: use size_t for length variables to avoid implicit narrowing2026-05-23T00:06:36ZHauke Mehrtens2026-05-21T20:18:16Zurn:sha1:73a21977c52a47f9a0ccb6116553083b118d0084
Several local length variables stored the result of size_t-returning
functions (strlen, blob_pad_len, blob_raw_len, array_list_length) in an
int, which GCC's -Wconversion reports as a potentially value-changing
narrowing conversion.
Widen these variables (and one static helper and one static function
parameter) to size_t where the int type was not needed:
- avl-cmp: _min() and the memcmp() length in avl_blobcmp()
- blob: len/delta in blob_fill_pad()
- blobmsg_json: loop counters in blobmsg_add_array() and the length
parameter of blobmsg_format_json_list()
- jshn: loop counters in add_json_array()
udebug_entry_printf() stored the int result of udebug_entry_vprintf() in
a size_t; use int there instead.
No functional change.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Link: https://github.com/openwrt/libubox/pull/46
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
udebug-remote: pass size_t to calloc_a()2026-05-23T00:06:31ZHauke Mehrtens2026-05-21T19:29:46Zurn:sha1:9afc710534817a3066e42542b3ef07ccd1e903a7
udebug_remote_buf_snapshot() passed data_size, a uint32_t, as a chunk
size to calloc_a(). __calloc_a() reads chunk sizes as size_t through
varargs, so on LP64 systems va_arg(ap, size_t) reads 8 bytes where
only 4 were pushed. Cast data_size to size_t at the call site.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Link: https://github.com/openwrt/libubox/pull/46
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
json_script: use size_t for calloc_a() length argument2026-05-23T00:06:26ZHauke Mehrtens2026-05-21T19:29:42Zurn:sha1:19e88cc41288478ae01d9246065ad319f9ca4e8e
json_script_file_from_blobmsg() passed name_len, a plain int, as a
chunk size to calloc_a(). __calloc_a() reads chunk sizes as size_t
through varargs, so on LP64 systems va_arg(ap, size_t) reads 8 bytes
where only 4 were pushed. Widen name_len to size_t.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Link: https://github.com/openwrt/libubox/pull/46
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
md5: detect read errors in md5sum() instead of returning a bogus hash2026-05-03T20:18:04ZHauke Mehrtens2026-04-23T21:40:36Zurn:sha1:1501e60e5554bd206c9b13532b7352e668508420
fread() returning 0 was treated as end of file, but it can also
mean a read error. In that case the loop terminated and md5_end()
ran on the partial data, so the caller received a md5 sum that did
not correspond to the file content and no error was reported.
Distinguish EOF from read errors with ferror() and bail out with
-1 on a real failure. Also use size_t for the return value of
fread().
Link: https://github.com/openwrt/libubox/pull/42
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
ustream: avoid INT_MAX overflow on malloc in ustream_vprintf()2026-05-03T20:18:01ZHauke Mehrtens2026-04-23T21:40:10Zurn:sha1:5fbef5bb94fbddba71d43d816d637c13c8ddf4d3
vsnprintf() returns the length the formatted output would have had
if the buffer were unlimited. When that length is INT_MAX, the
following 'maxlen + 1' wraps to a negative value (-> huge size_t),
so malloc() either fails or, on 32-bit systems, returns a far too
small allocation that the subsequent vsnprintf() then overruns.
Reject INT_MAX explicitly in both call sites that allocate the
oversized buffer.
Link: https://github.com/openwrt/libubox/pull/42
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
blobmsg: fix integer overflow in blobmsg_realloc_string_buffer()2026-05-03T20:17:58ZHauke Mehrtens2026-04-23T21:39:16Zurn:sha1:8c9862b6921b8fa7a53a5454ceb62286eed64ba4
'maxlen + 1' wraps to 0 when maxlen is UINT_MAX, and the mixed
signed/unsigned subtraction that produced 'required' could store a
huge unsigned value into a signed int. In either case the function
might return without growing the buffer while the caller assumes
maxlen bytes are now available, leading to an out-of-bounds write.
Reject UINT_MAX explicitly (matching blobmsg_alloc_string_buffer())
and rewrite the size comparison so the arithmetic stays in unsigned
space and is bounded.
Link: https://github.com/openwrt/libubox/pull/42
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
json_script: avoid alloca() on attacker-controlled pattern length2026-05-03T20:17:55ZHauke Mehrtens2026-04-23T21:38:25Zurn:sha1:0fa612ca08f7b7dce18397d531226d6678144439
eval_string() copied the pattern into a stack buffer sized via
alloca(strlen(pattern) + 1). Patterns come from the JSON script
input and may be arbitrarily large; a multi-MB pattern would smash
the stack and crash (or, in the worst case, jump past a guard
page).
Allocate the working copy on the heap instead and free it before
returning. While at it, drop the strcpy() in favour of memcpy()
with the length we just computed.
Link: https://github.com/openwrt/libubox/pull/42
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
blob: use size_t for blob_memdup() length2026-05-03T20:17:52ZHauke Mehrtens2026-04-23T21:37:22Zurn:sha1:02fccb465651f470ddd988f60036f22e485b5ac8
blob_pad_len() returns size_t and the value is used as a memory
allocation/copy size. Storing it in a signed int could truncate or
turn the value negative on platforms or inputs where the padded
length exceeds INT_MAX, leading to a too-small malloc() and an
out-of-bounds memcpy().
Link: https://github.com/openwrt/libubox/pull/42
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
blob: fix integer overflow in buffer growth functions2026-05-03T20:17:49ZHauke Mehrtens2026-04-23T21:36:45Zurn:sha1:40a87f734b940198600324c70df614d537d21e33
blob_buffer_grow() computed delta and the new buffer size as plain
int additions without checking for overflow. With sufficiently large
inputs the result could wrap around to a small positive value, so
realloc() would shrink the buffer and subsequent writes would
overflow the heap.
blob_buf_grow() suffered from the same issue: '(buf->buflen +
required) > BLOB_ATTR_LEN_MASK' is evaluated after the addition
already wraps, so the bound check could be bypassed.
Reject negative inputs explicitly and rewrite the bound checks so
the arithmetic cannot overflow.
Link: https://github.com/openwrt/libubox/pull/42
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>