bryson/pacman
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Avoid information leakage with badly formed download header

Browse source 
Parsing of Content-Disposition relies on well formed headers.
A malformed header such as:

Content-Disposition="";

will result in a strnduppayload->content_disp_name, -1, ptr),
which will copy memory until it hits a \0.

Prevent this by only copying the value if it exists.

Fixes FS#73704.

Signed-off-by: Allan McRae <allan@archlinux.org>
(cherry picked from commit 40583ebe89)
This commit is contained in:
Allan McRae 2022-03-06 21:43:59 +10:00
parent b187daefdf
commit 3bad984871
1 changed files with 5 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
lib/libalpm/dload.c
View file

@ -295,8 +295,11 @@ static size_t dload_parseheader_cb(void *ptr, size_t size, size_t nmemb, void *u
endptr--;
}
STRNDUP(payload->content_disp_name, fptr, endptr - fptr + 1,
RET_ERR(payload->handle, ALPM_ERR_MEMORY, realsize));
/* avoid information leakage with badly formed headers */
if(endptr > fptr) {
STRNDUP(payload->content_disp_name, fptr, endptr - fptr + 1,
RET_ERR(payload->handle, ALPM_ERR_MEMORY, realsize));
}
}
}