summaryrefslogtreecommitdiff
path: root/lib/header.c
diff options
context:
space:
mode:
authorPanu Matilainen <pmatilai@redhat.com>2012-01-19 08:25:15 +0200
committerPanu Matilainen <pmatilai@redhat.com>2012-04-03 15:45:46 +0300
commite4eab2bc6d07cfd33f740071de7ddbb2fe2f4190 (patch)
tree47d9fdace09c67dfbf825a097bdeb36b0ddb37f7 /lib/header.c
parenteaece70c1e80f6830b4a222f0ba47f4a75a0136b (diff)
downloadlibrpm-tizen-e4eab2bc6d07cfd33f740071de7ddbb2fe2f4190.tar.gz
librpm-tizen-e4eab2bc6d07cfd33f740071de7ddbb2fe2f4190.tar.bz2
librpm-tizen-e4eab2bc6d07cfd33f740071de7ddbb2fe2f4190.zip
Specifically validate region tag on header import
- Region tags need to have very specific content, the generic header tag checks are not sufficient to ensure sanity. Verify the tag is one of the known region tags and that the entry has expected type and count. - Fixes the first half of CVE-2012-0060
Diffstat (limited to 'lib/header.c')
-rw-r--r--lib/header.c8
1 files changed, 5 insertions, 3 deletions
diff --git a/lib/header.c b/lib/header.c
index 023c6e30d..f7d3ade59 100644
--- a/lib/header.c
+++ b/lib/header.c
@@ -828,10 +828,13 @@ Header headerImport(void * blob, unsigned int bsize, headerImportFlags flags)
entry->info.type = htonl(pe->type);
entry->info.count = htonl(pe->count);
+ entry->info.tag = htonl(pe->tag);
- if (hdrchkType(entry->info.type))
+ if (!ENTRY_IS_REGION(entry))
+ goto errxit;
+ if (entry->info.type != REGION_TAG_TYPE)
goto errxit;
- if (hdrchkTags(entry->info.count))
+ if (entry->info.count != REGION_TAG_COUNT)
goto errxit;
{ int off = ntohl(pe->offset);
@@ -847,7 +850,6 @@ Header headerImport(void * blob, unsigned int bsize, headerImportFlags flags)
ril = rdl/sizeof(*pe);
if (hdrchkTags(ril) || hdrchkData(rdl))
goto errxit;
- entry->info.tag = htonl(pe->tag);
} else {
ril = il;
rdl = (ril * sizeof(struct entryInfo_s));