Avoid information leakage with badly formed download header

Message ID	20220306115047.2653932-1-allan@archlinux.org
State	Accepted, archived
Headers	show Return-Path: <pacman-dev-bounces@lists.archlinux.org> From: Allan McRae <allan@archlinux.org> To: pacman-dev@lists.archlinux.org Subject: [PATCH] Avoid information leakage with badly formed download header Date: Sun, 6 Mar 2022 21:50:47 +1000 Message-Id: <20220306115047.2653932-1-allan@archlinux.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: list Errors-To: pacman-dev-bounces@lists.archlinux.org Sender: "pacman-dev" <pacman-dev-bounces@lists.archlinux.org>
Series	Avoid information leakage with badly formed download header \| expand Avoid information leakage with badly formed download header

Message ID

20220306115047.2653932-1-allan@archlinux.org

State

Accepted, archived

Headers

From: Allan McRae <allan@archlinux.org>
To: pacman-dev@lists.archlinux.org
Subject: [PATCH] Avoid information leakage with badly formed download header
Date: Sun,  6 Mar 2022 21:50:47 +1000
Message-Id: <20220306115047.2653932-1-allan@archlinux.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: list
Errors-To: pacman-dev-bounces@lists.archlinux.org
Sender: "pacman-dev" <pacman-dev-bounces@lists.archlinux.org>

Series

Avoid information leakage with badly formed download header | expand

Commit Message

Allan McRae March 6, 2022, 11:50 a.m. UTC

Parsing of Content-Disposition relies on well formed headers.
A malformed header such as:

Content-Disposition="";

will result in a strnduppayload->content_disp_name, -1, ptr),
which will copy memory until it hits a \0.

Prevent this by only copying the value if it exists.

Fixes FS#73704.

Signed-off-by: Allan McRae <allan@archlinux.org>
---
 lib/libalpm/dload.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/lib/libalpm/dload.c b/lib/libalpm/dload.c
index a64f405f..7c27c3ea 100644
--- a/lib/libalpm/dload.c
+++ b/lib/libalpm/dload.c
@@ -295,8 +295,11 @@  static size_t dload_parseheader_cb(void *ptr, size_t size, size_t nmemb, void *u
 				endptr--;
 			}
 
-			STRNDUP(payload->content_disp_name, fptr, endptr - fptr + 1,
-					RET_ERR(payload->handle, ALPM_ERR_MEMORY, realsize));
+			/* avoid information leakage with badly formed headers */
+			if(endptr > fptr) {
+				STRNDUP(payload->content_disp_name, fptr, endptr - fptr + 1,
+						RET_ERR(payload->handle, ALPM_ERR_MEMORY, realsize));
+			}
 		}
 	}

Avoid information leakage with badly formed download header

Commit Message

Patch