Browse Source

tests: add blob-buffer overflow test

The blob buffer has no limitation in place
to prevent buflen to exceed maximum size.

This commit adds a test to demonstrate how
a blob increases past the maximum allowd
size of 16MB. It continuously adds chunks
of 64KB and with the 255th one blob_add()
returns a valid attribute pointer but the
blob's buflen does not increase.

The test is used to demonstrate the
failure, which is fixed with a follow-up
commit.

Signed-off-by: Zefir Kurtisi <zefir.kurtisi@gmail.com>
[adjusted test case for cram usage]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
master
Zefir Kurtisi 3 weeks ago
committed by Petr Štetiar
parent
commit
a0dbcf8b8f
2 changed files with 40 additions and 0 deletions
  1. +9
    -0
      tests/cram/test_blob_buflen.t
  2. +31
    -0
      tests/test-blob-buflen.c

+ 9
- 0
tests/cram/test_blob_buflen.t View File

@ -0,0 +1,9 @@
check that blob buffer cannot exceed maximum buffer length:
$ [ -n "$TEST_BIN_DIR" ] && export PATH="$TEST_BIN_DIR:$PATH"
$ valgrind --quiet --leak-check=full test-blob-buflen
SUCCESS: failed to allocate attribute
$ test-blob-buflen-san
SUCCESS: failed to allocate attribute

+ 31
- 0
tests/test-blob-buflen.c View File

@ -0,0 +1,31 @@
#include <stdio.h>
#include "blobmsg.h"
/* chunks of 64KB to be added to blob-buffer */
#define BUFF_SIZE 0x10000
/* exceed maximum blob buff-length */
#define BUFF_CHUNKS (((BLOB_ATTR_LEN_MASK + 1) / BUFF_SIZE) + 1)
int main(int argc, char **argv)
{
int i;
static struct blob_buf buf;
blobmsg_buf_init(&buf);
int prev_len = buf.buflen;
for (i = 0; i < BUFF_CHUNKS; i++) {
struct blob_attr *attr = blob_new(&buf, 0, BUFF_SIZE);
if (!attr) {
fprintf(stderr, "SUCCESS: failed to allocate attribute\n");
break;
}
if (prev_len < buf.buflen) {
prev_len = buf.buflen;
continue;
}
fprintf(stderr, "ERROR: buffer length did not increase\n");
return -1;
}
return 0;
}

Loading…
Cancel
Save