Skip to content

Commit

Permalink
fix(ubus): prevent zLib buffer overflow
Browse files Browse the repository at this point in the history
  • Loading branch information
dfranusic committed Jan 14, 2022
1 parent e5b99d2 commit 43bf9b4
Showing 1 changed file with 7 additions and 2 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -373,8 +373,9 @@ static void ubus_event_cb(ubus_request *req, int type, blob_attr *msg){
zs.zalloc = Z_NULL;
zs.zfree = Z_NULL;
zs.opaque = Z_NULL;
size_t buff_sz = strlen(ic->ev_usr_cb->buff);
// input size
zs.avail_in = strlen(ic->ev_usr_cb->buff);
zs.avail_in = buff_sz;
// input data
zs.next_in = (Bytef *)ic->ev_usr_cb->buff;
//output buffer size
Expand Down Expand Up @@ -410,8 +411,12 @@ static void ubus_event_cb(ubus_request *req, int type, blob_attr *msg){
delete ic;
return;
}

// switch buffers
// size check (realloc is fine since libubus is a C lib)
if (zs.total_out > buff_sz)
ic->ev_usr_cb->buff = (char *)realloc(ic->ev_usr_cb->buff,
zs.total_out);

memcpy(ic->ev_usr_cb->buff, z_out_buff, zs.total_out);
sp->set_data(ic->ev_usr_cb->buff, zs.total_out);
sp->set_id(PT_OWRT_UBUS_RESULT);
Expand Down

0 comments on commit 43bf9b4

Please sign in to comment.