From: Zefir Kurtisi <zefir.kurtisi@gmail.com>
Date: Fri, 23 Apr 2021 17:48:01 +0000 (+0200)
Subject: blob: fix exceeding maximum buffer length
X-Git-Url: http://git.openwrt.org/?a=commitdiff_plain;h=b36a3a90098db64a46029355e308897c97fbe13d;p=project%2Flibubox.git

blob: fix exceeding maximum buffer length

Currently there is no measure in place to prevent the blob buffer
to exceed its maximum allowed length of 16MB. Continuously
calling blob_add() will expand the buffer until it exceeds
BLOB_ATTR_LEN_MASK and after that will return valid blob_attr
pointer without increasing the buflen.

A test program was added in the previous commit, this one fixes
the issue by asserting that the new bufflen after grow does not
exceed BLOB_ATTR_LEN_MASK.

Signed-off-by: Zefir Kurtisi <zefir.kurtisi@gmail.com>
---

diff --git a/blob.c b/blob.c
index 433becb..bd66d78 100644
--- a/blob.c
+++ b/blob.c
@@ -58,6 +58,8 @@ blob_buf_grow(struct blob_buf *buf, int required)
 {
 	int offset_head = attr_to_offset(buf, buf->head);
 
+	if ((buf->buflen + required) > BLOB_ATTR_LEN_MASK)
+		return false;
 	if (!buf->grow || !buf->grow(buf, required))
 		return false;