Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FS#2762 - libubox: blob_parse_untrusted() / blob_parse() incompatible with its use by ucert #8017

Closed
openwrt-bot opened this issue Jan 22, 2020 · 3 comments
Labels

Comments

@openwrt-bot
Copy link

@openwrt-bot openwrt-bot commented Jan 22, 2020

hmh:

blob_parse_untrusted(), as written, requires that the buffer length be exactly the same of the first blob inside it, the buffer being the memory area of size //attr_len//, pointed to by //attr//.

This can work if that input buffer contains exactly a single blob (which recursively contains other blobs, maybe). But it certainly does not work if there is any padding at the end of the buffer (thus //attr_len > blob_raw_len(attr)//), or if the buffer contains a series of blobs "back-to-back" (like an ucert chain seems to be defined to be).

Just removing the code block below (or adjusting it to use len > attr_len):

len = blob_raw_len(attr);
if (len != attr_len)
return 0;

Won't fix it, because blob_for_each_attr_len() does not actually walk a series of back-to-back blobs anyway (it never updates //attr// and //attr_len//).

So, what is actually the intended usage for this stuff? This really wants to be documented, there is no high-level "what this is supposed to be used for" documentation anywhere in blob.h or blob.c, let alone a proper documentation of every exported function in blob.h/blob.c :-(

Anyway, what ucert -A is doing is incompatible with blob_parse() and also blob_parse_untrusted(), since it wants to deal with a series of blobs back-to-back, and not a single blob that contains other blobs.

@openwrt-bot
Copy link
Author

@openwrt-bot openwrt-bot commented Jan 22, 2020

hmh:

(related to FS#2764, which is the ucert side)

@openwrt-bot
Copy link
Author

@openwrt-bot openwrt-bot commented May 17, 2020

NeoRaider:

I have posted a patchset to the OpenWrt ML that should fix this issue.

You can find an OpenWrt tree with the patches included in the ucert-fixes branch of https://git.openwrt.org/?p=openwrt/staging/neoraider.git;a=summary

@openwrt-bot
Copy link
Author

@openwrt-bot openwrt-bot commented Jun 20, 2020

bjonglez:

Closing since this has been merged and backported to 19.07.

Should this be backported to 18.06 as well?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant