FS#2762 - libubox: blob_parse_untrusted() / blob_parse() incompatible with its use by ucert

[openwrt-bot]

hmh:

blob_parse_untrusted(), as written, requires that the buffer length be exactly the same of the first blob inside it, the buffer being the memory area of size //attr_len//, pointed to by //attr//.

This can work if that input buffer contains exactly a single blob (which recursively contains other blobs, maybe). But it certainly does not work if there is any padding at the end of the buffer (thus //attr_len > blob_raw_len(attr)//), or if the buffer contains a series of blobs "back-to-back" (like an ucert chain seems to be defined to be).

Just removing the code block below (or adjusting it to use len > attr_len):

len = blob_raw_len(attr);
if (len != attr_len)
return 0;


Won't fix it, because blob_for_each_attr_len() does not actually walk a series of back-to-back blobs anyway (it never updates //attr// and //attr_len//).

So, what is actually the intended usage for this stuff? This really wants to be documented, there is no high-level "what this is supposed to be used for" documentation anywhere in blob.h or blob.c, let alone a proper documentation of every exported function in blob.h/blob.c :-(

Anyway, what ucert -A is doing is incompatible with blob_parse() and also blob_parse_untrusted(), since it wants to deal with a series of blobs back-to-back, and not a single blob that contains other blobs.

[openwrt-bot]

hmh:

(related to FS#2764, which is the ucert side)

[openwrt-bot]

NeoRaider:

I have posted a patchset to the OpenWrt ML that should fix this issue.

You can find an OpenWrt tree with the patches included in the ucert-fixes branch of https://git.openwrt.org/?p=openwrt/staging/neoraider.git;a=summary

[openwrt-bot]

bjonglez:

Closing since this has been merged and backported to 19.07.

Should this be backported to 18.06 as well?