tests: add blob-buffer overflow test
The blob buffer has no limitation in place to prevent buflen to exceed maximum size. This commit adds a test to demonstrate how a blob increases past the maximum allowd size of 16MB. It continuously adds chunks of 64KB and with the 255th one blob_add() returns a valid attribute pointer but the blob's buflen does not increase. The test is used to demonstrate the failure, which is fixed with a follow-up commit. Signed-off-by: Zefir Kurtisi <zefir.kurtisi@gmail.com> [adjusted test case for cram usage] Signed-off-by: Petr Štetiar <ynezz@true.cz>
This commit is contained in:
parent
551d75b566
commit
a0dbcf8b8f
2 changed files with 40 additions and 0 deletions
9
tests/cram/test_blob_buflen.t
Normal file
9
tests/cram/test_blob_buflen.t
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
check that blob buffer cannot exceed maximum buffer length:
|
||||||
|
|
||||||
|
$ [ -n "$TEST_BIN_DIR" ] && export PATH="$TEST_BIN_DIR:$PATH"
|
||||||
|
|
||||||
|
$ valgrind --quiet --leak-check=full test-blob-buflen
|
||||||
|
SUCCESS: failed to allocate attribute
|
||||||
|
|
||||||
|
$ test-blob-buflen-san
|
||||||
|
SUCCESS: failed to allocate attribute
|
31
tests/test-blob-buflen.c
Normal file
31
tests/test-blob-buflen.c
Normal file
|
@ -0,0 +1,31 @@
|
||||||
|
#include <stdio.h>
|
||||||
|
|
||||||
|
#include "blobmsg.h"
|
||||||
|
|
||||||
|
/* chunks of 64KB to be added to blob-buffer */
|
||||||
|
#define BUFF_SIZE 0x10000
|
||||||
|
/* exceed maximum blob buff-length */
|
||||||
|
#define BUFF_CHUNKS (((BLOB_ATTR_LEN_MASK + 1) / BUFF_SIZE) + 1)
|
||||||
|
|
||||||
|
int main(int argc, char **argv)
|
||||||
|
{
|
||||||
|
int i;
|
||||||
|
static struct blob_buf buf;
|
||||||
|
blobmsg_buf_init(&buf);
|
||||||
|
int prev_len = buf.buflen;
|
||||||
|
|
||||||
|
for (i = 0; i < BUFF_CHUNKS; i++) {
|
||||||
|
struct blob_attr *attr = blob_new(&buf, 0, BUFF_SIZE);
|
||||||
|
if (!attr) {
|
||||||
|
fprintf(stderr, "SUCCESS: failed to allocate attribute\n");
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
if (prev_len < buf.buflen) {
|
||||||
|
prev_len = buf.buflen;
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
fprintf(stderr, "ERROR: buffer length did not increase\n");
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
return 0;
|
||||||
|
}
|
Loading…
Reference in a new issue