bool send;
char *data;
- blob_parse(msg, tb, policy, UBUS_MONITOR_MAX);
+ blob_parse_untrusted(msg, blob_raw_len(msg), tb, policy, UBUS_MONITOR_MAX);
if (!tb[UBUS_MONITOR_CLIENT] ||
!tb[UBUS_MONITOR_PEER] ||
extern struct blob_buf b;
extern const struct ubus_method watch_method;
-struct blob_attr **ubus_parse_msg(struct blob_attr *msg);
+struct blob_attr **ubus_parse_msg(struct blob_attr *msg, size_t len);
bool ubus_validate_hdr(struct ubus_msghdr *hdr);
void ubus_handle_data(struct uloop_fd *u, unsigned int events);
int ubus_send_msg(struct ubus_context *ctx, uint32_t seq,
static struct blob_attr *attrbuf[UBUS_ATTR_MAX];
-__hidden struct blob_attr **ubus_parse_msg(struct blob_attr *msg)
+__hidden struct blob_attr **ubus_parse_msg(struct blob_attr *msg, size_t len)
{
- blob_parse(msg, attrbuf, ubus_policy, UBUS_ATTR_MAX);
+ blob_parse_untrusted(msg, len, attrbuf, ubus_policy, UBUS_ATTR_MAX);
return attrbuf;
}
struct ubus_object *obj;
uint32_t objid;
void *prev_data = NULL;
- attrbuf = ubus_parse_msg(buf->data);
+ attrbuf = ubus_parse_msg(buf->data, blob_raw_len(buf->data));
if (!attrbuf[UBUS_ATTR_OBJID])
return;
static void ubus_add_object_cb(struct ubus_request *req, int type, struct blob_attr *msg)
{
struct ubus_object *obj = req->priv;
- struct blob_attr **attrbuf = ubus_parse_msg(msg);
+ struct blob_attr **attrbuf = ubus_parse_msg(msg, blob_raw_len(msg));
if (!attrbuf[UBUS_ATTR_OBJID])
return;
static void ubus_remove_object_cb(struct ubus_request *req, int type, struct blob_attr *msg)
{
struct ubus_object *obj = req->priv;
- struct blob_attr **attrbuf = ubus_parse_msg(msg);
+ struct blob_attr **attrbuf = ubus_parse_msg(msg, blob_raw_len(msg));
if (!attrbuf[UBUS_ATTR_OBJID])
return;
if (!req->data_cb)
return;
- attr = ubus_parse_msg(data);
+ attr = ubus_parse_msg(data, blob_raw_len(data));
if (!attr[UBUS_ATTR_DATA])
return;
static bool ubus_get_status(struct ubus_msghdr_buf *buf, int *ret)
{
- struct blob_attr **attrbuf = ubus_parse_msg(buf->data);
+ struct blob_attr **attrbuf = ubus_parse_msg(buf->data, blob_raw_len(buf->data));
if (!attrbuf[UBUS_ATTR_STATUS])
return false;
if (!id) {
/* first id: ubusd's status message with a list of ids */
- tb = ubus_parse_msg(buf->data);
+ tb = ubus_parse_msg(buf->data, blob_raw_len(buf->data));
if (tb[UBUS_ATTR_SUBSCRIBERS]) {
blob_for_each_attr(cur, tb[UBUS_ATTR_SUBSCRIBERS], rem) {
if (!blob_check_type(blob_data(cur), blob_len(cur), BLOB_ATTR_INT32))
struct blob_attr **attr;
req = container_of(ureq, struct ubus_lookup_request, req);
- attr = ubus_parse_msg(msg);
+ attr = ubus_parse_msg(msg, blob_raw_len(msg));
if (!attr[UBUS_ATTR_OBJID] || !attr[UBUS_ATTR_OBJPATH] ||
!attr[UBUS_ATTR_OBJTYPE])
struct blob_attr **attr;
uint32_t *id = req->priv;
- attr = ubus_parse_msg(msg);
+ attr = ubus_parse_msg(msg, blob_raw_len(msg));
if (!attr[UBUS_ATTR_OBJID])
return;
if (blob_pad_len(attr) > UBUS_MAX_MSGLEN)
return;
- ubus_parse_msg(attr);
+ ubus_parse_msg(attr, size);
}
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
void ubus_msg_send(struct ubus_client *cl, struct ubus_msg_buf *ub);
ssize_t ubus_msg_writev(int fd, struct ubus_msg_buf *ub, size_t offset);
void ubus_msg_free(struct ubus_msg_buf *ub);
-struct blob_attr **ubus_parse_msg(struct blob_attr *msg);
+struct blob_attr **ubus_parse_msg(struct blob_attr *msg, size_t len);
struct ubus_client *ubusd_proto_new_client(int fd, uloop_fd_handler cb);
void ubusd_proto_receive_message(struct ubus_client *cl, struct ubus_msg_buf *ub);
static int ubusd_acl_recv(struct ubus_client *cl, struct ubus_msg_buf *ub, const char *method, struct blob_attr *msg)
{
if (!strcmp(method, "query"))
- return ubusd_reply_query(cl, ub, ubus_parse_msg(ub->data), msg);
+ return ubusd_reply_query(cl, ub, ubus_parse_msg(ub->data, blob_raw_len(ub->data)), msg);
return UBUS_STATUS_INVALID_COMMAND;
}
[UBUS_ATTR_GROUP] = { .type = BLOB_ATTR_STRING },
};
-struct blob_attr **ubus_parse_msg(struct blob_attr *msg)
+struct blob_attr **ubus_parse_msg(struct blob_attr *msg, size_t len)
{
- blob_parse(msg, attrbuf, ubus_policy, UBUS_ATTR_MAX);
+ blob_parse_untrusted(msg, len, attrbuf, ubus_policy, UBUS_ATTR_MAX);
return attrbuf;
}
/* Note: no callback should free the `ub` buffer
that's always done right after the callback finishes */
if (cb)
- ret = cb(cl, ub, ubus_parse_msg(ub->data));
+ ret = cb(cl, ub, ubus_parse_msg(ub->data, blob_raw_len(ub->data)));
else
ret = UBUS_STATUS_INVALID_COMMAND;