From: Hauke Mehrtens <hauke@hauke-m.de>
Date: Mon, 13 Oct 2025 21:59:33 +0000 (+0200)
Subject: ubusd: Fix out of bounds access in event register message
X-Git-Url: http://git.openwrt.org/?a=commitdiff_plain;h=d31effb4277bd557f5ccf16d909422718c1e49d0;p=project%2Fubus.git

ubusd: Fix out of bounds access in event register message

The code assumes that the provided pattern is at least one byte long.
reject shorter patterns.

Empty messages could lead to heap corruptions and ubusd_acl_check()
bypass.

Reported-by: Karsten Sperling <ksperling@apple.com>
Fixes: 12623b43060a ("trim the wildcard of partial patterns to keep the avl tree sorted properly")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
---

diff --git a/ubusd_event.c b/ubusd_event.c
index 15932a9..09c53dd 100644
--- a/ubusd_event.c
+++ b/ubusd_event.c
@@ -84,6 +84,9 @@ static int ubusd_alloc_event_pattern(struct ubus_client *cl, struct blob_attr *m
 	pattern = blobmsg_data(attr[EVREG_PATTERN]);
 
 	len = strlen(pattern);
+	if (len <= 0)
+		return UBUS_STATUS_PERMISSION_DENIED;
+
 	if (pattern[len - 1] == '*') {
 		partial = true;
 		pattern[len - 1] = 0;