summaryrefslogtreecommitdiff
path: root/completions
diff options
context:
space:
mode:
authorJulian Andres Klode <julian.klode@canonical.com>2020-12-04 12:37:19 +0100
committerJulian Andres Klode <julian.klode@canonical.com>2020-12-07 12:29:57 +0100
commit29581d103fc85d988c1f8a9c995ef9a6bb600500 (patch)
tree26da866f9fed111805c3c2cda3f3f96855a2c5b6 /completions
parent66962a66970a1f816375620c89de7117a470a6af (diff)
tarfile: OOM hardening: Limit size of long names/links to 1 MiB
Tarballs have long names and long link targets structured by a special tar header with a GNU extension followed by the actual content (padded to 512 bytes). Essentially, think of a name as a special kind of file. The limit of a file size in a header is 12 bytes, aka 10**12 or 1 TB. While this works OK-ish for file content that we stream to extractors, we need to copy file names into memory, and this opens us up to an OOM DoS attack. Limit the file name size to 1 MiB, as libarchive does, to make things safer.
Diffstat (limited to 'completions')
0 files changed, 0 insertions, 0 deletions