Avoid information leakage with badly formed download header

Parsing of Content-Disposition relies on well formed headers. A malformed header such as: Content-Disposition=""; will result in a strnduppayload->content_disp_name, -1, ptr), which will copy memory until it hits a \0. Prevent this by only copying the value if it exists. Fixes FS#73704. Signed-off-by: Allan McRae <allan@archlinux.org>
author: Allan McRae <allan@archlinux.org> 2022-03-06 21:43:59 +1000
committer: Allan McRae <allan@archlinux.org> 2022-03-06 21:49:56 +1000
commit: 40583ebe892018587ef354993dee15cff9c808d6 (patch)
tree: 9ed748bc6da3cc1c4d0f701b2d33ad4668eba5bd
parent: 632eb9739d23181996cc3f4fb069b81eb0e998c7 (diff)
1 files changed, 5 insertions, 2 deletions
diff --git a/lib/libalpm/dload.c b/lib/libalpm/dload.c
index a64f405f..7c27c3ea 100644
--- a/lib/libalpm/dload.c
+++ b/lib/libalpm/dload.c
@@ -295,8 +295,11 @@ static size_t dload_parseheader_cb(void *ptr, size_t size, size_t nmemb, void *u
 				endptr--;
 			}
 
-			STRNDUP(payload->content_disp_name, fptr, endptr - fptr + 1,
-					RET_ERR(payload->handle, ALPM_ERR_MEMORY, realsize));
+			/* avoid information leakage with badly formed headers */
+			if(endptr > fptr) {
+				STRNDUP(payload->content_disp_name, fptr, endptr - fptr + 1,
+						RET_ERR(payload->handle, ALPM_ERR_MEMORY, realsize));
+			}
 		}
 	}
author	Allan McRae <allan@archlinux.org>	2022-03-06 21:43:59 +1000
committer	Allan McRae <allan@archlinux.org>	2022-03-06 21:49:56 +1000
commit	40583ebe892018587ef354993dee15cff9c808d6 (patch)
tree	9ed748bc6da3cc1c4d0f701b2d33ad4668eba5bd
parent	632eb9739d23181996cc3f4fb069b81eb0e998c7 (diff)