ubusd: Fix out of bounds access in event register message

The code assumes that the provided pattern is at least one byte long.
reject shorter patterns.

Empty messages could lead to heap corruptions and ubusd_acl_check()
bypass.

Reported-by: Karsten Sperling <[email protected]>
Fixes: 12623b43060a ("trim the wildcard of partial patterns to keep the avl tree sorted properly")
Signed-off-by: Hauke Mehrtens <[email protected]>

diff --git a/ubusd_event.c b/ubusd_event.c
index 15932a9f4535a110d89962cc5dc7b54face60382..09c53dd62e93e6ef82e13bf137248f29e9aff43b 100644 (file)
--- a/ubusd_event.c
+++ b/ubusd_event.c
@@ -84,6 +84,9 @@ static int ubusd_alloc_event_pattern(struct ubus_client *cl, struct blob_attr *m
        pattern = blobmsg_data(attr[EVREG_PATTERN]);
 
        len = strlen(pattern);
+       if (len <= 0)
+               return UBUS_STATUS_PERMISSION_DENIED;
+
        if (pattern[len - 1] == '*') {
                partial = true;
                pattern[len - 1] = 0;