From b36a3a90098db64a46029355e308897c97fbe13d Mon Sep 17 00:00:00 2001 From: Zefir Kurtisi Date: Fri, 23 Apr 2021 19:48:01 +0200 Subject: [PATCH] blob: fix exceeding maximum buffer length Currently there is no measure in place to prevent the blob buffer to exceed its maximum allowed length of 16MB. Continuously calling blob_add() will expand the buffer until it exceeds BLOB_ATTR_LEN_MASK and after that will return valid blob_attr pointer without increasing the buflen. A test program was added in the previous commit, this one fixes the issue by asserting that the new bufflen after grow does not exceed BLOB_ATTR_LEN_MASK. Signed-off-by: Zefir Kurtisi --- blob.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/blob.c b/blob.c index 433becb..bd66d78 100644 --- a/blob.c +++ b/blob.c @@ -58,6 +58,8 @@ blob_buf_grow(struct blob_buf *buf, int required) { int offset_head = attr_to_offset(buf, buf->head); + if ((buf->buflen + required) > BLOB_ATTR_LEN_MASK) + return false; if (!buf->grow || !buf->grow(buf, required)) return false;