FS#2762 : libubox: blob_parse_untrusted() / blob_parse() incompatible with its use by ucert

Status Closed
Percent Complete
100%
Task Type Bug Report
Category Base system
Assigned To No-one
Operating System All
Severity Medium
Priority Very Low
Reported Version Trunk
Due in Version Undecided
Due Date Undecided
Private

Attached to Project: OpenWrt/LEDE Project
Opened by Henrique de Moraes Holschuh - 22.01.2020
Last edited by Baptiste Jonglez - 20.06.2020

FS#2762 - libubox: blob_parse_untrusted() / blob_parse() incompatible with its use by ucert

blob_parse_untrusted(), as written, requires that the buffer length be exactly the same of the first blob inside it, the buffer being the memory area of size attr_len, pointed to by attr.

This can work if that input buffer contains exactly a single blob (which recursively contains other blobs, maybe). But it certainly does not work if there is any padding at the end of the buffer (thus attr_len > blob_raw_len(attr)), or if the buffer contains a series of blobs “back-to-back” (like an ucert chain seems to be defined to be).

Just removing the code block below (or adjusting it to use len > attr_len):

len = blob_raw_len(attr); 
if (len != attr_len) 
      return 0;

Won’t fix it, because blob_for_each_attr_len() does not actually walk a series of back-to-back blobs anyway (it never updates attr and attr_len).

So, what is actually the intended usage for this stuff? This really wants to be documented, there is no high-level “what this is supposed to be used for” documentation anywhere in blob.h or blob.c, let alone a proper documentation of every exported function in blob.h/blob.c :-(

Anyway, what ucert -A is doing is incompatible with blob_parse() and also blob_parse_untrusted(), since it wants to deal with a series of blobs back-to-back, and not a single blob that contains other blobs.

Closed by Baptiste Jonglez
20.06.2020 18:25
Reason for closing: Fixed
Additional comments about closing:

https://git.openwrt.org/86818eaa976 b