fix blob parsing vulnerability by using blob_parse_untrusted

[project/ubus.git] / libubus-io.c

diff --git a/libubus-io.c b/libubus-io.c
index 0582ff72184bf8dab9e3ca017e84ae6c184f86ad..ba1016d0fa09b5cd7081209545f6a34e7104c853 100644 (file)
--- a/libubus-io.c
+++ b/libubus-io.c
@@ -43,9 +43,9 @@ static const struct blob_attr_info ubus_policy[UBUS_ATTR_MAX] = {
 
 static struct blob_attr *attrbuf[UBUS_ATTR_MAX];
 
-__hidden struct blob_attr **ubus_parse_msg(struct blob_attr *msg)
+__hidden struct blob_attr **ubus_parse_msg(struct blob_attr *msg, size_t len)
 {
-       blob_parse(msg, attrbuf, ubus_policy, UBUS_ATTR_MAX);
+       blob_parse_untrusted(msg, len, attrbuf, ubus_policy, UBUS_ATTR_MAX);
        return attrbuf;
 }
 
@@ -60,8 +60,8 @@ static void wait_data(int fd, bool write)
 static int writev_retry(int fd, struct iovec *iov, int iov_len, int sock_fd)
 {
        static struct {
-               struct cmsghdr h;
                int fd;
+               struct cmsghdr h;
        } fd_buf = {
                .h = {
                        .cmsg_len = sizeof(fd_buf),
@@ -78,7 +78,7 @@ static int writev_retry(int fd, struct iovec *iov, int iov_len, int sock_fd)
        int len = 0;
 
        do {
-               int cur_len;
+               ssize_t cur_len;
 
                if (sock_fd < 0) {
                        msghdr.msg_control = NULL;
@@ -105,7 +105,7 @@ static int writev_retry(int fd, struct iovec *iov, int iov_len, int sock_fd)
                        sock_fd = -1;
 
                len += cur_len;
-               while (cur_len >= iov->iov_len) {
+               while (cur_len >= (ssize_t) iov->iov_len) {
                        cur_len -= iov->iov_len;
                        iov_len--;
                        iov++;
@@ -154,12 +154,13 @@ int __hidden ubus_send_msg(struct ubus_context *ctx, uint32_t seq,
        return ret;
 }
 
-static int recv_retry(int fd, struct iovec *iov, bool wait, int *recv_fd)
+static int recv_retry(struct ubus_context *ctx, struct iovec *iov, bool wait, int *recv_fd)
 {
        int bytes, total = 0;
+       int fd = ctx->sock.fd;
        static struct {
-               struct cmsghdr h;
                int fd;
+               struct cmsghdr h;
        } fd_buf = {
                .h = {
                        .cmsg_type = SCM_RIGHTS,
@@ -173,9 +174,6 @@ static int recv_retry(int fd, struct iovec *iov, bool wait, int *recv_fd)
        };
 
        while (iov->iov_len > 0) {
-               if (wait)
-                       wait_data(fd, false);
-
                if (recv_fd) {
                        msghdr.msg_control = &fd_buf;
                        msghdr.msg_controllen = sizeof(fd_buf);
@@ -191,8 +189,6 @@ static int recv_retry(int fd, struct iovec *iov, bool wait, int *recv_fd)
 
                if (bytes < 0) {
                        bytes = 0;
-                       if (uloop_cancelled)
-                               return 0;
                        if (errno == EINTR)
                                continue;
 
@@ -211,12 +207,15 @@ static int recv_retry(int fd, struct iovec *iov, bool wait, int *recv_fd)
                iov->iov_len -= bytes;
                iov->iov_base += bytes;
                total += bytes;
+
+               if (iov->iov_len > 0)
+                       wait_data(fd, false);
        }
 
        return total;
 }
 
-static bool ubus_validate_hdr(struct ubus_msghdr *hdr)
+bool ubus_validate_hdr(struct ubus_msghdr *hdr)
 {
        struct blob_attr *data = (struct blob_attr *) (hdr + 1);
 
@@ -274,7 +273,7 @@ static bool get_next_msg(struct ubus_context *ctx, int *recv_fd)
        int r;
 
        /* receive header + start attribute */
-       r = recv_retry(ctx->sock.fd, &iov, false, recv_fd);
+       r = recv_retry(ctx, &iov, false, recv_fd);
        if (r <= 0) {
                if (r < 0)
                        ctx->sock.eof = true;
@@ -298,7 +297,7 @@ static bool get_next_msg(struct ubus_context *ctx, int *recv_fd)
        iov.iov_base = (char *)ctx->msgbuf.data + sizeof(hdrbuf.data);
        iov.iov_len = blob_len(ctx->msgbuf.data);
        if (iov.iov_len > 0 &&
-           recv_retry(ctx->sock.fd, &iov, true, NULL) <= 0)
+           recv_retry(ctx, &iov, true, NULL) <= 0)
                return false;
 
        return true;
@@ -311,7 +310,7 @@ void __hidden ubus_handle_data(struct uloop_fd *u, unsigned int events)
 
        while (get_next_msg(ctx, &recv_fd)) {
                ubus_process_msg(ctx, &ctx->msgbuf, recv_fd);
-               if (uloop_cancelled)
+               if (uloop_cancelling() || ctx->cancel_poll)
                        break;
        }
 
@@ -326,6 +325,7 @@ void __hidden ubus_poll_data(struct ubus_context *ctx, int timeout)
                .events = POLLIN | POLLERR,
        };
 
+       ctx->cancel_poll = false;
        poll(&pfd, 1, timeout ? timeout : -1);
        ubus_handle_data(&ctx->sock, ULOOP_READ);
 }
@@ -372,6 +372,8 @@ int ubus_reconnect(struct ubus_context *ctx, const char *path)
                close(ctx->sock.fd);
        }
 
+       ctx->sock.eof = false;
+       ctx->sock.error = false;
        ctx->sock.fd = usock(USOCK_UNIX, path, NULL);
        if (ctx->sock.fd < 0)
                return UBUS_STATUS_CONNECTION_FAILED;
@@ -390,7 +392,7 @@ int ubus_reconnect(struct ubus_context *ctx, const char *path)
                goto out_close;
 
        memcpy(buf, &hdr.data, sizeof(hdr.data));
-       if (read(ctx->sock.fd, blob_data(buf), blob_len(buf)) != blob_len(buf))
+       if (read(ctx->sock.fd, blob_data(buf), blob_len(buf)) != (ssize_t) blob_len(buf))
                goto out_free;
 
        ctx->local_id = hdr.hdr.peer;