From: Zefir Kurtisi Date: Fri, 23 Apr 2021 17:48:00 +0000 (+0200) Subject: tests: add blob-buffer overflow test X-Git-Url: http://git.cdn.openwrt.org/?a=commitdiff_plain;h=a0dbcf8b8f966ce8a358afe555bb75401ef1e9be;p=project%2Flibubox.git tests: add blob-buffer overflow test The blob buffer has no limitation in place to prevent buflen to exceed maximum size. This commit adds a test to demonstrate how a blob increases past the maximum allowd size of 16MB. It continuously adds chunks of 64KB and with the 255th one blob_add() returns a valid attribute pointer but the blob's buflen does not increase. The test is used to demonstrate the failure, which is fixed with a follow-up commit. Signed-off-by: Zefir Kurtisi [adjusted test case for cram usage] Signed-off-by: Petr Štetiar --- diff --git a/tests/cram/test_blob_buflen.t b/tests/cram/test_blob_buflen.t new file mode 100644 index 0000000..986e476 --- /dev/null +++ b/tests/cram/test_blob_buflen.t @@ -0,0 +1,9 @@ +check that blob buffer cannot exceed maximum buffer length: + + $ [ -n "$TEST_BIN_DIR" ] && export PATH="$TEST_BIN_DIR:$PATH" + + $ valgrind --quiet --leak-check=full test-blob-buflen + SUCCESS: failed to allocate attribute + + $ test-blob-buflen-san + SUCCESS: failed to allocate attribute diff --git a/tests/test-blob-buflen.c b/tests/test-blob-buflen.c new file mode 100644 index 0000000..45ea379 --- /dev/null +++ b/tests/test-blob-buflen.c @@ -0,0 +1,31 @@ +#include + +#include "blobmsg.h" + +/* chunks of 64KB to be added to blob-buffer */ +#define BUFF_SIZE 0x10000 +/* exceed maximum blob buff-length */ +#define BUFF_CHUNKS (((BLOB_ATTR_LEN_MASK + 1) / BUFF_SIZE) + 1) + +int main(int argc, char **argv) +{ + int i; + static struct blob_buf buf; + blobmsg_buf_init(&buf); + int prev_len = buf.buflen; + + for (i = 0; i < BUFF_CHUNKS; i++) { + struct blob_attr *attr = blob_new(&buf, 0, BUFF_SIZE); + if (!attr) { + fprintf(stderr, "SUCCESS: failed to allocate attribute\n"); + break; + } + if (prev_len < buf.buflen) { + prev_len = buf.buflen; + continue; + } + fprintf(stderr, "ERROR: buffer length did not increase\n"); + return -1; + } + return 0; +}