blob: fix exceeding maximum buffer length

Currently there is no measure in place to prevent the blob buffer
to exceed its maximum allowed length of 16MB. Continuously
calling blob_add() will expand the buffer until it exceeds
BLOB_ATTR_LEN_MASK and after that will return valid blob_attr
pointer without increasing the buflen.

A test program was added in the previous commit, this one fixes
the issue by asserting that the new bufflen after grow does not
exceed BLOB_ATTR_LEN_MASK.

Signed-off-by: Zefir Kurtisi <zefir.kurtisi@gmail.com>

diff --git a/blob.c b/blob.c
index 433becb904f54d4e0b3fb186756f62c71beb0ba5..bd66d78fee47ca4a2114e500baabcae87262491e 100644 (file)
--- a/blob.c
+++ b/blob.c
@@ -58,6 +58,8 @@ blob_buf_grow(struct blob_buf *buf, int required)
 {
        int offset_head = attr_to_offset(buf, buf->head);
 
+       if ((buf->buflen + required) > BLOB_ATTR_LEN_MASK)
+               return false;
        if (!buf->grow || !buf->grow(buf, required))
                return false;