From patchwork Sun Mar 6 11:50:47 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Allan McRae X-Patchwork-Id: 2044 Return-Path: Delivered-To: patchwork@archlinux.org Received: from mail.archlinux.org [95.216.189.61] by patchwork.archlinux.org with IMAP (fetchmail-6.4.27) for (single-drop); Sun, 06 Mar 2022 11:51:01 +0000 (UTC) Received: from mail.archlinux.org by mail.archlinux.org with LMTP id 2IfxHCSgJGKxQAUAK+/4rw (envelope-from ) for ; Sun, 06 Mar 2022 11:51:00 +0000 Received: from lists.archlinux.org (lists.archlinux.org [95.217.236.249]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail.archlinux.org (Postfix) with ESMTPS id 890C0DAC360; Sun, 6 Mar 2022 11:50:59 +0000 (UTC) Received: from lists.archlinux.org (localhost [IPv6:::1]) by lists.archlinux.org (Postfix) with ESMTP id 6A466DA6891; Sun, 6 Mar 2022 11:50:59 +0000 (UTC) X-Original-To: pacman-dev@lists.archlinux.org Delivered-To: pacman-dev@lists.archlinux.org Received: from mail.archlinux.org (mail.archlinux.org [95.216.189.61]) by lists.archlinux.org (Postfix) with ESMTPS id E942ADA6882 for ; Sun, 6 Mar 2022 11:50:56 +0000 (UTC) From: Allan McRae DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=archlinux.org; s=dkim-ed25519; t=1646567456; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=NR96L6Hacd+tHztP4edS1CtWGnP7GSvjZF4NyOxOo8U=; b=k+30ua0f6whDShKWArJUaqKoRE/29vXjAVL90isrXkMWicsOFreDIOqKj8dDCkqREkkJPy P+heoq9cUBMe69Dg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=archlinux.org; s=dkim-rsa; t=1646567456; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=NR96L6Hacd+tHztP4edS1CtWGnP7GSvjZF4NyOxOo8U=; b=Yp8w/ATAEyZ2+sKIdpnccTZQ5Vshh6qWN54dhbVx1r8Z9QR/m4s0/aSnyzcblnEjLkI+72 Xa5+BdvD8qnJCbwaYS3x8nuoQyQrdnipvxMs3jcwhvp5CM0PQi3BSkRSYAgbIS0JtTB5Dt P6ECdSkJ71cVYUf8kMnel2EgqvcfJNy5VglFuyy/IRFimT0hCzeb6OKXykU8hgvHAvvaqK gDWKmdhzKjnd/SeCoU/FwfPXfZHJpFLlmb7YBNZuBo3N9Jmeu5cTG8KBfmVfbq5eN3dXr+ zqAVWiOw+DEcp6qtSkqejWfRuo0VtsLKBcEBcglN2nSXT+ARVpnKRQfqNB5wGrziRqVJkW AWylmDKtm5BEoOd4/ekTrm3/lBP35YQV/R3UAfR8MSE8haOEUWGMAXTkbWnb5sLNlbsZLp zZ6fGkBgWlM67znPEPcdCLyM3pdUacZjcW2A3eWQfkgAZsa+IxRvpKRfqr6lD02/4YxwJd ksYmCcXJH0ULVClR4Kf1eJcbf2UwL10bq6RWFTz0OllgMaOBWAa+P/8+4QyvN/Kp7Yzwmx qcmVXDfue0Xg1hxWy4uvrJU+4eBxI/7FdrHNHtVnR3d30/Vgh//+K89pe6SXyY5vK/MNuw Z6uazmwBjz9wvGsK2rFY+SbauK0Qs4Q3dt/VzA33nonzvFJ/tNB9U= To: pacman-dev@lists.archlinux.org Subject: [PATCH] Avoid information leakage with badly formed download header Date: Sun, 6 Mar 2022 21:50:47 +1000 Message-Id: <20220306115047.2653932-1-allan@archlinux.org> X-Mailer: git-send-email 2.35.1 MIME-Version: 1.0 X-BeenThere: pacman-dev@lists.archlinux.org X-Mailman-Version: 2.1.39 Precedence: list List-Id: Discussion list for pacman development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: pacman-dev-bounces@lists.archlinux.org Sender: "pacman-dev" X-Rspamd-Queue-Id: 890C0DAC360 Authentication-Results: mail.archlinux.org; dkim=pass header.d=archlinux.org header.s=dkim-ed25519 header.b=k+30ua0f; dkim=pass header.d=archlinux.org header.s=dkim-rsa header.b="Yp8w/ATA"; dmarc=pass (policy=none) header.from=archlinux.org; spf=pass (mail.archlinux.org: domain of pacman-dev-bounces@lists.archlinux.org designates 95.217.236.249 as permitted sender) smtp.mailfrom=pacman-dev-bounces@lists.archlinux.org X-Spamd-Result: default: False [-2.61 / 15.00]; DWL_DNSWL_MED(-2.00)[archlinux.org:dkim]; MID_CONTAINS_FROM(1.00)[]; R_MISSING_CHARSET(0.50)[]; DMARC_POLICY_ALLOW(-0.50)[archlinux.org,none]; RCVD_DKIM_ARC_DNSWL_MED(-0.50)[]; RCVD_IN_DNSWL_MED(-0.40)[95.217.236.249:from,95.216.189.61:received]; R_DKIM_ALLOW(-0.20)[archlinux.org:s=dkim-ed25519,archlinux.org:s=dkim-rsa]; MAILLIST(-0.20)[mailman]; R_SPF_ALLOW(-0.20)[+ip4:95.217.236.249:c]; MIME_GOOD(-0.10)[text/plain]; HAS_LIST_UNSUB(-0.01)[]; NEURAL_HAM(-0.00)[-1.000]; ASN(0.00)[asn:24940, ipnet:95.217.0.0/16, country:DE]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ARC_NA(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; PREVIOUSLY_DELIVERED(0.00)[pacman-dev@lists.archlinux.org]; FROM_HAS_DN(0.00)[]; DKIM_TRACE(0.00)[archlinux.org:+]; TO_DN_NONE(0.00)[]; FROM_NEQ_ENVFROM(0.00)[allan@archlinux.org,pacman-dev-bounces@lists.archlinux.org]; RCPT_COUNT_ONE(0.00)[1]; FORGED_SENDER_MAILLIST(0.00)[] X-Rspamd-Server: mail.archlinux.org Parsing of Content-Disposition relies on well formed headers. A malformed header such as: Content-Disposition=""; will result in a strnduppayload->content_disp_name, -1, ptr), which will copy memory until it hits a \0. Prevent this by only copying the value if it exists. Fixes FS#73704. Signed-off-by: Allan McRae --- lib/libalpm/dload.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/lib/libalpm/dload.c b/lib/libalpm/dload.c index a64f405f..7c27c3ea 100644 --- a/lib/libalpm/dload.c +++ b/lib/libalpm/dload.c @@ -295,8 +295,11 @@ static size_t dload_parseheader_cb(void *ptr, size_t size, size_t nmemb, void *u endptr--; } - STRNDUP(payload->content_disp_name, fptr, endptr - fptr + 1, - RET_ERR(payload->handle, ALPM_ERR_MEMORY, realsize)); + /* avoid information leakage with badly formed headers */ + if(endptr > fptr) { + STRNDUP(payload->content_disp_name, fptr, endptr - fptr + 1, + RET_ERR(payload->handle, ALPM_ERR_MEMORY, realsize)); + } } }