diff options
author | Felix Fietkau <nbd@nbd.name> | 2020-05-25 14:49:35 +0200 |
---|---|---|
committer | Felix Fietkau <nbd@nbd.name> | 2020-05-26 10:06:53 +0200 |
commit | 639c29d19717616b809d9a1e9042461ab8024370 (patch) | |
tree | 93bcda56106227de2de8b3bad4279e5e58a91d62 | |
parent | c2fc622b771f679e8f55060ac60cfe02b9a80995 (diff) | |
download | libubox-639c29d19717616b809d9a1e9042461ab8024370.tar.gz |
blobmsg: simplify and fix name length checks in blobmsg_check_name
blobmsg_hdr_valid_namelen was omitted when name==false
The blob_len vs blobmsg_namelen changes were not taking into account
potential padding between name and data
Signed-off-by: Felix Fietkau <nbd@nbd.name>
-rw-r--r-- | blobmsg.c | 13 |
1 files changed, 4 insertions, 9 deletions
@@ -48,8 +48,8 @@ static bool blobmsg_hdr_valid_namelen(const struct blobmsg_hdr *hdr, size_t len) static bool blobmsg_check_name(const struct blob_attr *attr, size_t len, bool name) { - char *limit = (char *) attr + len; const struct blobmsg_hdr *hdr; + uint16_t namelen; hdr = blobmsg_hdr_from_blob(attr, len); if (!hdr) @@ -58,16 +58,11 @@ static bool blobmsg_check_name(const struct blob_attr *attr, size_t len, bool na if (name && !hdr->namelen) return false; - if (name && !blobmsg_hdr_valid_namelen(hdr, len)) - return false; - - if ((char *) hdr->name + blobmsg_namelen(hdr) + 1 > limit) - return false; - - if (blobmsg_namelen(hdr) > (blob_len(attr) - sizeof(struct blobmsg_hdr))) + namelen = blobmsg_namelen(hdr); + if (blob_len(attr) < (size_t)blobmsg_hdrlen(namelen)) return false; - if (hdr->name[blobmsg_namelen(hdr)] != 0) + if (hdr->name[namelen] != 0) return false; return true; |