From: Mark Wielaard <mark@klomp.org>
Date: Wed, 13 May 2026 15:56:18 +0000 (+0200)
Subject: debuginfod: Don't trust x-debuginfod-size in debuginfod_validate_imasig
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=14d3cbf11cc07ddd56e7371e83ee1bcdda9a988b;p=thirdparty%2Felfutils.git

debuginfod: Don't trust x-debuginfod-size in debuginfod_validate_imasig

Double check file size the server sent against the file size we
actually got in debuginfod_validate_imasig. So we check the signature
over the whole file size as we received it. Otherwise we might be
creating a hash over a shorter (possibly zero sized) data. This makes
sure the server sents a signature that should match the full file (and
not just an arbitrary shorter prefix).

	* debuginfod/debuginfod-client.c (debuginfod_validate_imasig):
	Call fstat on fd and check x-debuginfod-size equals received
	file size.

Signed-off-by: Mark Wielaard <mark@klomp.org>
---

diff --git a/debuginfod/debuginfod-client.c b/debuginfod/debuginfod-client.c
index 6340c8c2..f2b82ac7 100644
--- a/debuginfod/debuginfod-client.c
+++ b/debuginfod/debuginfod-client.c
@@ -1640,6 +1640,21 @@ debuginfod_validate_imasig (debuginfod_client *c, int fd)
       goto exit_validate;
     }
 
+    /* Don't trust the size the server sent us, double check against the
+       file size that we actually got.  That way we calculate the hash
+       over the whole file and not a shorter (possibly empty) data size.  */
+    struct stat st;
+    if (fstat (fd, &st) == -1)
+    {
+      rc = -errno;
+      goto exit_validate;
+    }
+    if (data_len != st.st_size)
+    {
+      rc = -EBADMSG;
+      goto exit_validate;
+    }
+
     char file_data[DATA_SIZE]; // imaevm.h data chunk hash size 
     ssize_t n;
     for(off_t k = 0; k < data_len; k += n)