blob: introduce blob_parse_untrusted

blob_parse can be only used on trusted input as it has no possibility to
check the length of the provided input buffer, which might lead to
undefined behaviour and/or crashes when supplied with malformed,
corrupted or otherwise specially crafted input.

So this introduces blob_parse_untrusted variant which expects additional
input buffer length argument and thus should be able to process also
inputs from untrusted sources.

Signed-off-by: Petr Štetiar <ynezz@true.cz>

diff --git a/blob.c b/blob.c
index ee93894b9e6fd36503c870cf3795a0d18774afda..dc908d9ea7454b07cc01c2e1897b1717796f0b4c 100644 (file)
--- a/blob.c
+++ b/blob.c
@@ -252,6 +252,30 @@ blob_parse_attr(struct blob_attr *attr, struct blob_attr **data, const struct bl
        return found;
 }
 
+int
+blob_parse_untrusted(struct blob_attr *attr, size_t attr_len, struct blob_attr **data, const struct blob_attr_info *info, int max)
+{
+       struct blob_attr *pos;
+       size_t len = 0;
+       int found = 0;
+       size_t rem;
+
+       if (!attr || attr_len < sizeof(struct blob_attr))
+               return 0;
+
+       len = blob_raw_len(attr);
+       if (len != attr_len)
+               return 0;
+
+       memset(data, 0, sizeof(struct blob_attr *) * max);
+       blob_for_each_attr_len(pos, attr, len, rem) {
+               found += blob_parse_attr(pos, rem, data, info, max);
+       }
+
+       return found;
+}
+
+/* use only on trusted input, otherwise consider blob_parse_untrusted */
 int
 blob_parse(struct blob_attr *attr, struct blob_attr **data, const struct blob_attr_info *info, int max)
 {

diff --git a/blob.h b/blob.h
index d34652229b59000688fc0e803f538b896e3dd396..af033607e309a76ad9987c2d5c3ba661a6947fa1 100644 (file)
--- a/blob.h
+++ b/blob.h
@@ -199,6 +199,7 @@ extern void blob_nest_end(struct blob_buf *buf, void *cookie);
 extern struct blob_attr *blob_put(struct blob_buf *buf, int id, const void *ptr, unsigned int len);
 extern bool blob_check_type(const void *ptr, unsigned int len, int type);
 extern int blob_parse(struct blob_attr *attr, struct blob_attr **data, const struct blob_attr_info *info, int max);
+extern int blob_parse_untrusted(struct blob_attr *attr, size_t attr_len, struct blob_attr **data, const struct blob_attr_info *info, int max);
 extern struct blob_attr *blob_memdup(struct blob_attr *attr);
 extern struct blob_attr *blob_put_raw(struct blob_buf *buf, const void *ptr, unsigned int len);
 
@@ -254,5 +255,11 @@ blob_put_u64(struct blob_buf *buf, int id, uint64_t val)
             (blob_pad_len(pos) >= sizeof(struct blob_attr)); \
             rem -= blob_pad_len(pos), pos = blob_next(pos))
 
+#define blob_for_each_attr_len(pos, attr, attr_len, rem) \
+       for (rem = attr ? blob_len(attr) : 0, \
+            pos = (struct blob_attr *) (attr ? blob_data(attr) : NULL); \
+            rem >= sizeof(struct blob_attr) && rem < attr_len && (blob_pad_len(pos) <= rem) && \
+            (blob_pad_len(pos) >= sizeof(struct blob_attr)); \
+            rem -= blob_pad_len(pos), pos = blob_next(pos))
 
 #endif