[PATCH] Avoid information leakage with badly formed download header
Allan McRae
allan at archlinux.org
Sun Mar 6 11:50:47 UTC 2022
Parsing of Content-Disposition relies on well formed headers.
A malformed header such as:
Content-Disposition="";
will result in a strnduppayload->content_disp_name, -1, ptr),
which will copy memory until it hits a \0.
Prevent this by only copying the value if it exists.
Fixes FS#73704.
Signed-off-by: Allan McRae <allan at archlinux.org>
---
lib/libalpm/dload.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/lib/libalpm/dload.c b/lib/libalpm/dload.c
index a64f405f..7c27c3ea 100644
--- a/lib/libalpm/dload.c
+++ b/lib/libalpm/dload.c
@@ -295,8 +295,11 @@ static size_t dload_parseheader_cb(void *ptr, size_t size, size_t nmemb, void *u
endptr--;
}
- STRNDUP(payload->content_disp_name, fptr, endptr - fptr + 1,
- RET_ERR(payload->handle, ALPM_ERR_MEMORY, realsize));
+ /* avoid information leakage with badly formed headers */
+ if(endptr > fptr) {
+ STRNDUP(payload->content_disp_name, fptr, endptr - fptr + 1,
+ RET_ERR(payload->handle, ALPM_ERR_MEMORY, realsize));
+ }
}
}
--
2.35.1
More information about the pacman-dev
mailing list