From 71f0be5e11b773ed4b09d1cc46099cdafacbd56a Mon Sep 17 00:00:00 2001 From: Felix Fietkau Date: Sun, 23 Jan 2011 19:55:41 +0100 Subject: [PATCH] add blobmsg validation function --- blob.h | 2 +- blobmsg.c | 28 +++++++++++++++++++++------- blobmsg.h | 1 + 3 files changed, 23 insertions(+), 8 deletions(-) diff --git a/blob.h b/blob.h index 401a355..c9364e9 100644 --- a/blob.h +++ b/blob.h @@ -141,7 +141,7 @@ blob_id(struct blob_attr *attr) * blob_len: returns the length of the attribute's payload */ static inline unsigned int -blob_len(struct blob_attr *attr) +blob_len(const struct blob_attr *attr) { return (be32_to_cpu(attr->id_len) & BLOB_ATTR_LEN_MASK) - sizeof(struct blob_attr); } diff --git a/blobmsg.c b/blobmsg.c index 25b72ae..cc6b2f3 100644 --- a/blobmsg.c +++ b/blobmsg.c @@ -15,6 +15,26 @@ #include "blobmsg.h" +bool blobmsg_check_attr(const struct blob_attr *attr, bool name) +{ + const struct blobmsg_hdr *hdr; + + if (blob_len(attr) < sizeof(struct blobmsg_hdr)) + return false; + + hdr = (void *) attr->data; + if (!hdr->namelen && name) + return false; + + if (hdr->namelen > blob_len(attr)) + return false; + + if (hdr->name[hdr->namelen] != 0) + return false; + + return true; +} + int blobmsg_parse(const struct blobmsg_policy *policy, int policy_len, struct blob_attr **tb, void *data, int len) { @@ -45,13 +65,7 @@ int blobmsg_parse(const struct blobmsg_policy *policy, int policy_len, if (hdr->namelen != pslen[i]) continue; - if (!hdr->namelen) - return -1; - - if (sizeof(*attr) + blobmsg_hdrlen(hdr->namelen) > blob_pad_len(attr)) - return -1; - - if (hdr->name[hdr->namelen] != 0) + if (!blobmsg_check_attr(attr, true)) return -1; if (tb[i]) diff --git a/blobmsg.h b/blobmsg.h index b50cca9..3085d00 100644 --- a/blobmsg.h +++ b/blobmsg.h @@ -65,6 +65,7 @@ static inline int blobmsg_data_len(struct blob_attr *attr) return blob_len(attr) - (end - start); } +bool blobmsg_check_attr(const struct blob_attr *attr, bool name); int blobmsg_parse(const struct blobmsg_policy *policy, int policy_len, struct blob_attr **tb, void *data, int len); -- 2.25.1