diff options
author | Allan McRae <allan@archlinux.org> | 2022-03-06 21:43:59 +1000 |
---|---|---|
committer | Allan McRae <allan@archlinux.org> | 2022-03-06 21:49:56 +1000 |
commit | 40583ebe892018587ef354993dee15cff9c808d6 (patch) | |
tree | 9ed748bc6da3cc1c4d0f701b2d33ad4668eba5bd | |
parent | 632eb9739d23181996cc3f4fb069b81eb0e998c7 (diff) |
Avoid information leakage with badly formed download header
Parsing of Content-Disposition relies on well formed headers.
A malformed header such as:
Content-Disposition="";
will result in a strnduppayload->content_disp_name, -1, ptr),
which will copy memory until it hits a \0.
Prevent this by only copying the value if it exists.
Fixes FS#73704.
Signed-off-by: Allan McRae <allan@archlinux.org>
-rw-r--r-- | lib/libalpm/dload.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/lib/libalpm/dload.c b/lib/libalpm/dload.c index a64f405f..7c27c3ea 100644 --- a/lib/libalpm/dload.c +++ b/lib/libalpm/dload.c @@ -295,8 +295,11 @@ static size_t dload_parseheader_cb(void *ptr, size_t size, size_t nmemb, void *u endptr--; } - STRNDUP(payload->content_disp_name, fptr, endptr - fptr + 1, - RET_ERR(payload->handle, ALPM_ERR_MEMORY, realsize)); + /* avoid information leakage with badly formed headers */ + if(endptr > fptr) { + STRNDUP(payload->content_disp_name, fptr, endptr - fptr + 1, + RET_ERR(payload->handle, ALPM_ERR_MEMORY, realsize)); + } } } |