From 9176a977d9f0970e3251493fcd71f3c1be0834ae Mon Sep 17 00:00:00 2001 From: Timo Teräs Date: Mon, 10 Apr 2023 13:41:19 +0300 Subject: io: harden apk_fileinfo_get Do not attempt to get xattrs from symlinks. Their extraction is not supported either. Do not use alloca. --- src/io.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/src/io.c b/src/io.c index 0a441bc..65dee6a 100644 --- a/src/io.c +++ b/src/io.c @@ -737,7 +737,7 @@ int apk_fileinfo_get(int atfd, const char *filename, unsigned int flags, .device = st.st_dev, }; - if (xattr_checksum != APK_CHECKSUM_NONE) { + if (xattr_checksum != APK_CHECKSUM_NONE && !S_ISLNK(fi->mode)) { ssize_t len, vlen; int fd, i, r; char val[1024], buf[1024]; @@ -775,12 +775,10 @@ int apk_fileinfo_get(int atfd, const char *filename, unsigned int flags, /* Checksum file content */ if ((flags & APK_FI_NOFOLLOW) && S_ISLNK(st.st_mode)) { - char *target = alloca(st.st_size); - if (target == NULL) - return -ENOMEM; + char target[PATH_MAX]; + if (st.st_size > sizeof target) return -ENOMEM; if (readlinkat(atfd, filename, target, st.st_size) < 0) return -errno; - EVP_Digest(target, st.st_size, fi->csum.data, NULL, apk_checksum_evp(checksum), NULL); fi->csum.type = checksum; -- cgit v1.2.3-60-g2f50