bryson/pacman
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Reject files larger than 16384 bytes in read_sigfile.

Browse source 
If signature files are larger than SIZE_MAX, not enough memory could
be allocated for this file. The script repo-add rejects files which
are larger than 16384 bytes, therefore handle these as errors here,
too.

While at it, I also rearranged the code to avoid a quite harmless
TOCTOU race condition between stat() and fopen().

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
(cherry picked from commit 5fcd60e264)
This commit is contained in:
Tobias Stoeckmann 2016-06-18 18:41:07 +02:00 committed by Andrew Gregory
parent 8abb0cbf0e
commit 3218360114
1 changed files with 11 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
lib/libalpm/be_package.c
View file

@ -24,6 +24,7 @@
#include <sys/types.h> #include <sys/types.h>
#include <sys/stat.h> #include <sys/stat.h>
#include <fcntl.h> #include <fcntl.h>
#include <limits.h>
/* libarchive */ /* libarchive */
#include <archive.h> #include <archive.h>
@ -695,22 +696,25 @@ error:
return NULL; return NULL;
} }
/* adopted limit from repo-add */
#define MAX_SIGFILE_SIZE 16384
static int read_sigfile(const char *sigpath, unsigned char **sig) static int read_sigfile(const char *sigpath, unsigned char **sig)
{ {
struct stat st; struct stat st;
FILE *fp; FILE *fp;
if(stat(sigpath, &st) != 0) {
return -1;
}
MALLOC(*sig, st.st_size, return -1);
if((fp = fopen(sigpath, "rb")) == NULL) { if((fp = fopen(sigpath, "rb")) == NULL) {
free(*sig);
return -1; return -1;
} }
if(fstat(fileno(fp), &st) != 0 || st.st_size > MAX_SIGFILE_SIZE) {
fclose(fp);
return -1;
}
MALLOC(*sig, st.st_size, fclose(fp); return -1);
if(fread(*sig, st.st_size, 1, fp) != 1) { if(fread(*sig, st.st_size, 1, fp) != 1) {
free(*sig); free(*sig);
fclose(fp); fclose(fp);