diff options
| author | Timo Teräs <timo.teras@iki.fi> | 2021-04-11 15:21:42 +0300 |
|---|---|---|
| committer | Timo Teräs <timo.teras@iki.fi> | 2021-04-11 15:29:44 +0300 |
| commit | ca598e2a51fd80ed789e5fb4aa48816ccd84e374 (patch) | |
| tree | fddb8b64cc54a059e22b9ee6e5fd5b74450ac6d2 /src/io_archive.c | |
| parent | 3c339a74d1b9dba23d60d6c769d99227d75cc6dc (diff) | |
| download | apk-tools-ca598e2a51fd80ed789e5fb4aa48816ccd84e374.tar.gz apk-tools-ca598e2a51fd80ed789e5fb4aa48816ccd84e374.tar.bz2 apk-tools-ca598e2a51fd80ed789e5fb4aa48816ccd84e374.tar.xz apk-tools-ca598e2a51fd80ed789e5fb4aa48816ccd84e374.zip | |
io_archive: add bounds limit for uname and gname tar header fields
Modify apk_resolve_[ug]id to take the user/groupname as a blob, so
proper length checking is done and honored.
==31584== Conditional jump or move depends on uninitialised value(s)
==31584== at 0x5C8CA5: strlen (strlen.c:17)
==31584== by 0x432575: APK_BLOB_STR (apk_blob.h:79)
==31584== by 0x4350EB: apk_resolve_uid (io.c:1112)
==31584== by 0x43696C: apk_tar_parse (io_archive.c:152)
==31584== by 0x4271BC: apk_pkg_read (package.c:929)
==31584== by 0x402D75: add_main (app_add.c:163)
==31584== by 0x40D5FF: main (apk-static.c:516)
Fixes a potential crash (DoS) on a crafted TAR file. CVE-2021-30139.
Reported-by: Sören Tempel <soeren+git@soeren-tempel.net>
Reviewed-by: Ariadne Conill <ariadne@dereferenced.org>
Diffstat (limited to 'src/io_archive.c')
| -rw-r--r-- | src/io_archive.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/src/io_archive.c b/src/io_archive.c index 79cfd74..1022e8f 100644 --- a/src/io_archive.c +++ b/src/io_archive.c @@ -49,6 +49,7 @@ struct tar_header { char padding[12]; /* 500-511 */ }; +#define TAR_BLOB(s) APK_BLOB_PTR_LEN(s, strnlen(s, sizeof(s))) #define GET_OCTAL(s) get_octal(s, sizeof(s)) #define PUT_OCTAL(s,v) put_octal(s, sizeof(s), v) @@ -149,8 +150,8 @@ int apk_tar_parse(struct apk_istream *is, apk_archive_entry_parser parser, entry = (struct apk_file_info){ .size = GET_OCTAL(buf.size), - .uid = apk_resolve_uid(idc, buf.uname, GET_OCTAL(buf.uid)), - .gid = apk_resolve_gid(idc, buf.gname, GET_OCTAL(buf.gid)), + .uid = apk_resolve_uid(idc, TAR_BLOB(buf.uname), GET_OCTAL(buf.uid)), + .gid = apk_resolve_gid(idc, TAR_BLOB(buf.gname), GET_OCTAL(buf.gid)), .mode = GET_OCTAL(buf.mode) & 07777, .mtime = GET_OCTAL(buf.mtime), .name = entry.name, |