Commit graph

48 commits

Author SHA1 Message Date
Chris Nisbet
75e300aeec blobmsg: fix wrong payload len passed from blobmsg_check_array
Fix incorrect use of blobmsg_len() on passed blobmsg to
blobmsg_check_array_len() introduced in commit 379cd33d19
("fix wrong payload len passed from blobmsg_check_array") by using correct
blob_len().

By using blobmsg_len() a value too small was passed to blobmsg_check_array()
which could lead to this function returning an error when there is none.

Fixes: 379cd33d19 ("fix wrong payload len passed from blobmsg_check_array")
Signed-off-by: Chris Nisbet <nischris@gmail.com>
[add fixes tag, rewrap commit message]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-02-27 21:56:01 +01:00
Juraj Vijtiuk
43a103ff17 blobmsg: blobmsg_parse and blobmsg_parse_array oob read fixes
Fix out of bounds read in blobmsg_parse and blobmsg_check_name. The
out of bounds read happens because blob_attr and blobmsg_hdr have
flexible array members, whose size is 0 in the corresponding sizeofs.
For example the __blob_for_each_attr macro checks whether rem >=
sizeof(struct blob_attr). However, what LibFuzzer discovered was,
if the input data was only 4 bytes, the data would be casted to blob_attr,
and later on blob_data(attr) would be called even though attr->data was empty.
The same issue could appear with data larger than 4 bytes, where data
wasn't empty, but contained only the start of the blobmsg_hdr struct,
and blobmsg_hdr name was empty. The bugs were discovered by fuzzing
blobmsg_parse and blobmsg_array_parse with LibFuzzer.

CC: Luka Perkov <luka.perkov@sartura.hr>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Juraj Vijtiuk <juraj.vijtiuk@sartura.hr>
[refactored some checks, added fuzz inputs, adjusted unit test results]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-01-20 16:54:10 +01:00
Petr Štetiar
132ecb563d blobmsg: blobmsg_vprintf: prefer vsnprintf
Better safe than sorry and while at it add handling of possible
*printf() failures.

Reviewed-by: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-01-20 16:54:10 +01:00
Petr Štetiar
cd75136b13 blobmsg: fix wrong payload len passed from blobmsg_check_array
Fix incorrect use of blob_raw_len() on passed blobmsg to
blobmsg_check_array_len()  introduced in commit b0e21553ae ("blobmsg:
add _len variants for all attribute checking methods") by using correct
blobmsg_len().

This wrong (higher) length was then for example causing issues in
procd's instance_config_parse_command() where blobmsg_check_attr_list()
was failing sanity checking of service command, thus resulting in the
startup failures of some services like collectd, nlbwmon and samba4.

Ref: http://lists.infradead.org/pipermail/openwrt-devel/2019-December/020840.html
Fixes: b0e21553ae ("blobmsg: add _len variants for all attribute checking methods")
Reported-by: Hannu Nyman <hannu.nyman@welho.com>
Tested-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2019-12-28 21:17:46 +01:00
Petr Štetiar
eb7eb6393d blobmsg: fix array out of bounds GCC 10 warning
Fixes following warning reported by GCC 10.0.0 20191203:

 blobmsg.c:234:2: error: 'strcpy' offset 6 from the object at 'attr' is out of the bounds of referenced subobject 'name' with type 'uint8_t[0]' {aka 'unsigned char[0]'} at offset 6 [-Werror=array-bounds]
   234 |  strcpy((char *) hdr->name, (const char *)name);
       |  ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 In file included from blobmsg.c:16:
 blobmsg.h:42:10: note: subobject 'name' declared here
    42 |  uint8_t name[];
       |          ^~~~

Reported-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2019-12-25 17:14:32 +01:00
Petr Štetiar
86f6a5b8d1 blobmsg: reuse blobmsg_namelen in blobmsg_data
Move blobmsg_namelen into header file so it's possible to reuse it in
blobmsg_data.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2019-12-25 10:31:58 +01:00
Tobias Schramm
b0e21553ae blobmsg: add _len variants for all attribute checking methods
Introduce _len variants of blobmsg attribute checking functions which
aims to provide safer implementation as those functions should limit all
memory accesses performed on the blob to the range [attr, attr + len]
(upper bound non inclusive) and thus should be suited for checking of
untrusted blob attributes.

While at it add some comments in order to make it clear.

Signed-off-by: Tobias Schramm <tobleminer@gmail.com>
[_safe -> _len, blobmsg_check_array_len fix, commit subject/desc facelift]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2019-12-25 10:31:58 +01:00
Tobias Schramm
cd3059796a Replace use of blobmsg_check_attr by blobmsg_check_attr_len
blobmsg_check_attr_len adds a length limit specifying the max offset
from attr that can be read safely.

Signed-off-by: Tobias Schramm <tobleminer@gmail.com>
[rebased and reworked, line wrapped commit message, _safe -> _len]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2019-12-25 10:31:58 +01:00
Petr Štetiar
f2b2ee441a blobmsg: fix heap buffer overflow in blobmsg_parse
Fixes following error found by the fuzzer:

 ==29774==ERROR: AddressSanitizer: heap-buffer-overflow
 READ of size 1 at 0x6020004f1c56 thread T0
     #0 strcmp sanitizer_common_interceptors.inc:442:3
     #1 blobmsg_parse blobmsg.c:168:8

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2019-12-25 10:31:58 +01:00
Petr Štetiar
4dfd24ed88 blobmsg: make blobmsg_len and blobmsg_data_len return unsigned value
One usually doesn't guard against negative length values in the code.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2019-12-25 10:31:58 +01:00
Petr Štetiar
46f8268b4b blobmsg/ulog: fix format string compiler warnings
Fixes following compiler warnings:

 blobmsg.c:242:39: error: format string is not a string literal [-Werror,-Wformat-nonliteral]
 blobmsg.c:248:23: error: format string is not a string literal [-Werror,-Wformat-nonliteral]
 ulog.c💯18: error: format string is not a string literal [-Werror,-Wformat-nonliteral]
 ulog.c:112:16: error: format string is not a string literal [-Werror,-Wformat-nonliteral]
 ulog.c:117:20: error: format string is not a string literal [-Werror,-Wformat-nonliteral]

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2019-12-07 23:47:03 +01:00
Petr Štetiar
6228df9de9 iron out all extra compiler warnings
gcc-9 on x86/64 has reported following issues:

 base64.c:173:17: error: comparison of integer expressions of different signedness: ‘int’ and ‘size_t’ {aka ‘long unsigned int’} [-Werror=sign-compare]
 base64.c:230:18: error: comparison of integer expressions of different signedness: ‘int’ and ‘size_t’ {aka ‘long unsigned int’} [-Werror=sign-compare]
 base64.c:238:18: error: comparison of integer expressions of different signedness: ‘int’ and ‘size_t’ {aka ‘long unsigned int’} [-Werror=sign-compare]
 base64.c:242:22: error: comparison of integer expressions of different signedness: ‘int’ and ‘size_t’ {aka ‘long unsigned int’} [-Werror=sign-compare]
 base64.c:252:18: error: comparison of integer expressions of different signedness: ‘int’ and ‘size_t’ {aka ‘long unsigned int’} [-Werror=sign-compare]
 base64.c:256:22: error: comparison of integer expressions of different signedness: ‘int’ and ‘size_t’ {aka ‘long unsigned int’} [-Werror=sign-compare]
 base64.c:266:18: error: comparison of integer expressions of different signedness: ‘int’ and ‘size_t’ {aka ‘long unsigned int’} [-Werror=sign-compare]
 base64.c:315:27: error: comparison of integer expressions of different signedness: ‘int’ and ‘size_t’ {aka ‘long unsigned int’} [-Werror=sign-compare]
 base64.c:329:15: error: comparison of integer expressions of different signedness: ‘int’ and ‘size_t’ {aka ‘long unsigned int’} [-Werror=sign-compare]
 blob.c:207:11: error: comparison of integer expressions of different signedness: ‘unsigned int’ and ‘int’ [-Werror=sign-compare]
 blob.c:210:11: error: comparison of integer expressions of different signedness: ‘unsigned int’ and ‘int’ [-Werror=sign-compare]
 blob.c:243:31: error: comparison of integer expressions of different signedness: ‘int’ and ‘unsigned int’ [-Werror=sign-compare]
 blob.c:246:31: error: comparison of integer expressions of different signedness: ‘int’ and ‘unsigned int’ [-Werror=sign-compare]
 blob.h:245:37: error: comparison of integer expressions of different signedness: ‘unsigned int’ and ‘int’ [-Werror=sign-compare]
 blob.h:253:37: error: comparison of integer expressions of different signedness: ‘unsigned int’ and ‘int’ [-Werror=sign-compare]
 blobmsg.h:269:37: error: comparison of integer expressions of different signedness: ‘unsigned int’ and ‘int’ [-Werror=sign-compare]
 blobmsg_json.c:155:10: error: comparison of integer expressions of different signedness: ‘int’ and ‘size_t’ {aka ‘long unsigned int’} [-Werror=sign-compare]
 examples/../blob.h:245:37: error: comparison of integer expressions of different signedness: ‘unsigned int’ and ‘int’ [-Werror=sign-compare]
 examples/../blobmsg.h:269:37: error: comparison of integer expressions of different signedness: ‘unsigned int’ and ‘int’ [-Werror=sign-compare]
 json_script.c:590:7: error: this statement may fall through [-Werror=implicit-fallthrough=]

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2019-11-20 14:34:01 +01:00
John Crispin
c83a84afbe fix segfault when passed blobmsg attr is NULL
Signed-off-by: John Crispin <john@phrozen.org>
2018-07-25 10:30:05 +02:00
André Gaul
7f671b1e68 blobmsg: add support for double
This adds support for double floating point type to make it more JSON
compatible. For type checking it also adds a stub BLOB_ATTR_DOUBLE type.
If necessary, the accessor functions for blob can be added later

Signed-off-by: André Gaul <andre@gaul.io>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-01-04 21:36:31 +01:00
Matthias Schiffer
1f019ceea1 Fix various memory management issues
Consistently handle allocation failures. Some functions are changed to
return bool or int instead of void to allow returning an error.

Also fix a buffer size miscalculation in lua/uloop and use _exit() instead
of exit() on errors after forking.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2016-06-26 12:53:51 +02:00
Yousong Zhou
7f1ce63a84 blobmsg: remove unneeded assignment in blobmsg_alloc_string_buffer().
data_dest should already be assigned by blobmsg_new() if the return
value is not NULL.

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2014-12-11 17:58:29 +01:00
ewolfok
22bbcfddd7 blob: improve out-of-memory handling
Signed-off-by: Chen Bin <ewolfok@126.com>
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
2014-07-26 03:50:50 +02:00
Felix Fietkau
7ba1f8acd8 blobmsg: add blobmsg_check_array, which returns the size of the array
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
2014-07-15 10:52:12 +02:00
Felix Fietkau
d07b174de8 blobmsg: make length variables unsigned
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
2014-04-27 16:32:09 +02:00
Felix Fietkau
93a4cb92c1 blobmsg: remove unnecessary initialization
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
2014-04-12 20:20:36 +02:00
Felix Fietkau
58aec3c59a blobmsg: allow data/length iterator/accessor functions to work on non-blobmsg elements
This primarily helps with simplifying the ubus APIs.
blobmsg header presence is indicated by the BLOB_ATTR_EXTENDED bit in
the id_len field.

This changes the format ABI, but not the API.

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
2014-03-12 20:18:12 +01:00
Felix Fietkau
458c3937bc blob: add a magic offset to nesting cookies to ensure that NULL is never returned as a normal value
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
2013-10-16 01:22:02 +02:00
Felix Fietkau
af2f52a37b blobmsg: implement blobmsg_printf and blobmsg_vprintf
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
2013-02-17 16:42:12 +01:00
Felix Fietkau
4ab499899c blobmsg: add blobmsg_realloc_string_buffer()
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
2013-02-10 20:43:51 +01:00
Felix Fietkau
1ec5b85848 blobmsg: fix blobmsg_parse_array, drop name field requirement
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
2013-01-13 09:07:32 +01:00
Felix Fietkau
4b5f278195 blobmsg: allow BLOBMSG_TYPE_UNSPEC attributes, treat them as null for JSON conversion
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
2013-01-13 09:02:51 +01:00
Felix Fietkau
2f74dbad14 blobmsg: add blobmsg_parse_array()
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
2013-01-08 02:05:03 +01:00
Felix Fietkau
bbdc3bdb05 blobmsg: remove the unnecessary name argument from blobmsg_check_attr_list, infer it from the list type 2012-06-24 21:11:06 +02:00
Felix Fietkau
f1494cde4d blobmsg: add blobmsg_check_attr_list() to validate element types of arrays and tables 2012-06-24 21:07:47 +02:00
Felix Fietkau
74cdaf796f switch blobmsg over to permissive license 2012-05-26 18:02:30 +02:00
Felix Fietkau
51711be625 fix more instances of uninitialized padding bytes 2011-10-06 17:57:13 +02:00
Felix Fietkau
7c80b7c514 blobmsg: fill padding between name and data 2011-10-06 17:19:28 +02:00
Felix Fietkau
08aada9a93 make the blobmsg format endian agnostic (stick to big-endian) 2011-10-06 17:15:00 +02:00
Felix Fietkau
1d3e4ccb6a fix a bug in blobmsg_parse
a second entry that has the same length as an existing found entry would
abort the parse loop (reported by Stefan Mächler)
2011-08-17 10:44:11 -07:00
Felix Fietkau
6bbde6e647 allow blobmsg_add_field to add arrays/tables 2011-02-07 01:12:07 +01:00
Felix Fietkau
0918243e90 move json formatting to the blobmsg_json library 2011-02-06 21:23:28 +01:00
Felix Fietkau
01ad5162b2 add a callback to the blobmsg-to-json function to override the formatting of specific attributes 2011-02-06 16:48:28 +01:00
Felix Fietkau
3bc18fcadc blobmsg: fix dynamic string buffer length calculation 2011-02-06 02:07:26 +01:00
Felix Fietkau
29598e3dc8 add functions for allocating and adding a string buffer field 2011-02-04 21:57:59 +01:00
Felix Fietkau
3da4427fb5 fix json string formatting 2011-01-31 17:17:40 +01:00
Felix Fietkau
7a0571a9ff blobmsg: constify and add more validation 2011-01-31 03:51:06 +01:00
Felix Fietkau
da2876acd9 add support for json-formatting blobmsg elements 2011-01-30 14:15:57 +01:00
Felix Fietkau
ff585b97c0 fix json list parsing 2011-01-30 01:13:32 +01:00
Felix Fietkau
5129bc9401 blobmsg: make arrays structually the same as tables - simplifies library user code 2011-01-29 18:00:40 +01:00
Felix Fietkau
d28eb7fc28 add a blobmsg-to-json function 2011-01-23 22:52:53 +01:00
Felix Fietkau
5e5abe33fe improve validation - add header length 2011-01-23 20:32:57 +01:00
Felix Fietkau
71f0be5e11 add blobmsg validation function 2011-01-23 19:55:41 +01:00
Felix Fietkau
e82d74f898 Initial import 2010-10-13 21:29:08 +02:00