From: Felix Fietkau <nbd@openwrt.org>
Date: Mon, 3 Oct 2011 10:36:46 +0000 (+0200)
Subject: fix reads beyond the end of the buffer when iterating over blob attributes
X-Git-Url: http://207.154.207.93/?a=commitdiff_plain;h=591a1e349f94a4a69dea0c0bb04919a41367c009;p=project%2Flibubox.git

fix reads beyond the end of the buffer when iterating over blob attributes
---

diff --git a/blob.h b/blob.h
index 10adde8..7f4a46a 100644
--- a/blob.h
+++ b/blob.h
@@ -258,14 +258,14 @@ blob_put_int64(struct blob_buf *buf, int id, uint64_t val)
 
 #define __blob_for_each_attr(pos, attr, rem) \
 	for (pos = (void *) attr; \
-		 (blob_pad_len(pos) <= rem) && \
+		 rem > 0 && (blob_pad_len(pos) <= rem) && \
 		 (blob_pad_len(pos) >= sizeof(struct blob_attr)); \
 		 rem -= blob_pad_len(pos), pos = blob_next(pos))
 
 
 #define blob_for_each_attr(pos, attr, rem) \
 	for (rem = blob_len(attr), pos = blob_data(attr); \
-		 (blob_pad_len(pos) <= rem) && \
+		 rem > 0 && (blob_pad_len(pos) <= rem) && \
 		 (blob_pad_len(pos) >= sizeof(struct blob_attr)); \
 		 rem -= blob_pad_len(pos), pos = blob_next(pos))
 
diff --git a/blobmsg.h b/blobmsg.h
index a63fcad..f2ab007 100644
--- a/blobmsg.h
+++ b/blobmsg.h
@@ -177,7 +177,7 @@ void blobmsg_add_string_buffer(struct blob_buf *buf);
 
 #define blobmsg_for_each_attr(pos, attr, rem) \
 	for (rem = blobmsg_data_len(attr), pos = blobmsg_data(attr); \
-		 (blob_pad_len(pos) <= rem) && \
+		 rem > 0 && (blob_pad_len(pos) <= rem) && \
 		 (blob_pad_len(pos) >= sizeof(struct blob_attr)); \
 		 rem -= blob_pad_len(pos), pos = blob_next(pos))