bryson/pacman
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Avoid information leakage with badly formed download header

Browse source 
Parsing of Content-Disposition relies on well formed headers.
A malformed header such as:

Content-Disposition="";

will result in a strnduppayload->content_disp_name, -1, ptr),
which will copy memory until it hits a \0.

Prevent this by only copying the value if it exists.

Fixes FS#73704.

Signed-off-by: Allan McRae <allan@archlinux.org>
This commit is contained in:
Allan McRae 2022-03-06 21:43:59 +10:00
parent 632eb9739d
commit 40583ebe89
1 changed files with 5 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
lib/libalpm/dload.c
View file

@ -295,10 +295,13 @@ static size_t dload_parseheader_cb(void *ptr, size_t size, size_t nmemb, void *u
endptr--; endptr--;
} }
/* avoid information leakage with badly formed headers */
if(endptr > fptr) {
STRNDUP(payload->content_disp_name, fptr, endptr - fptr + 1, STRNDUP(payload->content_disp_name, fptr, endptr - fptr + 1,
RET_ERR(payload->handle, ALPM_ERR_MEMORY, realsize)); RET_ERR(payload->handle, ALPM_ERR_MEMORY, realsize));
} }
} }
}
curl_easy_getinfo(payload->curl, CURLINFO_RESPONSE_CODE, &respcode); curl_easy_getinfo(payload->curl, CURLINFO_RESPONSE_CODE, &respcode);
if(payload->respcode != respcode) { if(payload->respcode != respcode) {