- Status Closed
- Percent Complete
- Task Type Bug Report
- Category Base system
- Assigned To No-one
- Operating System All
- Severity Medium
- Priority Very Low
- Reported Version Trunk
- Due in Version Undecided
-
Due Date
Undecided
- Private
Opened by Henrique de Moraes Holschuh - 22.01.2020
Last edited by Baptiste Jonglez - 20.06.2020
FS#2762 - libubox: blob_parse_untrusted() / blob_parse() incompatible with its use by ucert
blob_parse_untrusted(), as written, requires that the buffer length be exactly the same of the first blob inside it, the buffer being the memory area of size attr_len, pointed to by attr.
This can work if that input buffer contains exactly a single blob (which recursively contains other blobs, maybe). But it certainly does not work if there is any padding at the end of the buffer (thus attr_len > blob_raw_len(attr)), or if the buffer contains a series of blobs “back-to-back” (like an ucert chain seems to be defined to be).
Just removing the code block below (or adjusting it to use len > attr_len):
len = blob_raw_len(attr);
if (len != attr_len)
return 0;
Won’t fix it, because blob_for_each_attr_len() does not actually walk a series of back-to-back blobs anyway (it never updates attr and attr_len).
So, what is actually the intended usage for this stuff? This really wants to be documented, there is no high-level “what this is supposed to be used for” documentation anywhere in blob.h or blob.c, let alone a proper documentation of every exported function in blob.h/blob.c 
Anyway, what ucert -A is doing is incompatible with blob_parse() and also blob_parse_untrusted(), since it wants to deal with a series of blobs back-to-back, and not a single blob that contains other blobs.
20.06.2020 18:25
Reason for closing: Fixed
Additional comments about closing:
(related to FS#2764, which is the ucert side)
I have posted a patchset to the OpenWrt ML that should fix this issue.
You can find an OpenWrt tree with the patches included in the ucert-fixes branch of https://git.openwrt.org/?p=openwrt/staging/neoraider.git;a=summary
Closing since this has been merged and backported to 19.07.
Should this be backported to 18.06 as well?