OpenWrt/LEDE Project

  • Status Closed
  • Percent Complete
  • Task Type Bug Report
  • Category Base system
  • Assigned To No-one
  • Operating System All
  • Severity Medium
  • Priority Very Low
  • Reported Version Trunk
  • Due in Version Undecided
  • Due Date Undecided
  • Private
Attached to Project: OpenWrt/LEDE Project
Opened by Henrique de Moraes Holschuh - 22.01.2020
Last edited by Baptiste Jonglez - 20.06.2020

FS#2762 - libubox: blob_parse_untrusted() / blob_parse() incompatible with its use by ucert

blob_parse_untrusted(), as written, requires that the buffer length be exactly the same of the first blob inside it, the buffer being the memory area of size attr_len, pointed to by attr.

This can work if that input buffer contains exactly a single blob (which recursively contains other blobs, maybe). But it certainly does not work if there is any padding at the end of the buffer (thus attr_len > blob_raw_len(attr)), or if the buffer contains a series of blobs “back-to-back” (like an ucert chain seems to be defined to be).

Just removing the code block below (or adjusting it to use len > attr_len):

len = blob_raw_len(attr); 
if (len != attr_len) 
      return 0; 

Won’t fix it, because blob_for_each_attr_len() does not actually walk a series of back-to-back blobs anyway (it never updates attr and attr_len).

So, what is actually the intended usage for this stuff? This really wants to be documented, there is no high-level “what this is supposed to be used for” documentation anywhere in blob.h or blob.c, let alone a proper documentation of every exported function in blob.h/blob.c :-(

Anyway, what ucert -A is doing is incompatible with blob_parse() and also blob_parse_untrusted(), since it wants to deal with a series of blobs back-to-back, and not a single blob that contains other blobs.

Closed by  Baptiste Jonglez
20.06.2020 18:25
Reason for closing:  Fixed
Additional comments about closing: b

Henrique de Moraes Holschuh commented on 22.01.2020 16:51

(related to FS#2764, which is the ucert side)

Project Manager
Matthias Schiffer commented on 17.05.2020 08:59

I have posted a patchset to the OpenWrt ML that should fix this issue.

You can find an OpenWrt tree with the patches included in the ucert-fixes branch of;a=summary

Project Manager
Baptiste Jonglez commented on 20.06.2020 18:25

Closing since this has been merged and backported to 19.07.

Should this be backported to 18.06 as well?


Available keyboard shortcuts


Task Details

Task Editing