blob_parse_untrusted(), as written, requires that the buffer length be exactly the same of the first blob inside it, the buffer being the memory area of size //attr_len//, pointed to by //attr//.
This can work if that input buffer contains exactly a single blob (which recursively contains other blobs, maybe). But it certainly does not work if there is any padding at the end of the buffer (thus //attr_len > blob_raw_len(attr)//), or if the buffer contains a series of blobs "back-to-back" (like an ucert chain seems to be defined to be).
Just removing the code block below (or adjusting it to use len > attr_len):
len = blob_raw_len(attr);
if (len != attr_len)
Won't fix it, because blob_for_each_attr_len() does not actually walk a series of back-to-back blobs anyway (it never updates //attr// and //attr_len//).
So, what is actually the intended usage for this stuff? This really wants to be documented, there is no high-level "what this is supposed to be used for" documentation anywhere in blob.h or blob.c, let alone a proper documentation of every exported function in blob.h/blob.c :-(
Anyway, what ucert -A is doing is incompatible with blob_parse() and also blob_parse_untrusted(), since it wants to deal with a series of blobs back-to-back, and not a single blob that contains other blobs.
The text was updated successfully, but these errors were encountered: