From 38c8dc91a43cbb8d7d08e92c5149929a12007840 Mon Sep 17 00:00:00 2001
From: Patrick McDermott <patrick.mcdermott@libiquity.com>
Date: Mon, 17 Apr 2023 13:30:40 -0400
Subject: ustar: Verify header checksums

---
(limited to 'src/ustar.c')

diff --git a/src/ustar.c b/src/ustar.c
index a4395f4..c183560 100644
--- a/src/ustar.c
+++ b/src/ustar.c
@@ -75,7 +75,11 @@ _opkg_opk_ustar_next(struct opkg_opk_ustar *ustar,
 		struct _opkg_opk_ustar_header *header)
 {
 	static unsigned char  record[OPKG_OPK_USTAR_RECORD_SIZE];
-	       char          *size_end;
+	       char          *end;
+	       uint32_t       chksum_got;
+	       uint32_t       chksum_exp;
+	       int            i;
+	       unsigned char *header_uc;
 
 	switch (opkg_opk_gzip_read(ustar->gzip, header)) {
 		case OPKG_OPK_OK:
@@ -88,13 +92,31 @@ _opkg_opk_ustar_next(struct opkg_opk_ustar *ustar,
 	if (memcmp(header, record, OPKG_OPK_USTAR_RECORD_SIZE) == 0) {
 		return OPKG_OPK_END;
 	}
+
 	if (memcmp(header->magic, "ustar", strlen("ustar")) != 0) {
 		return OPKG_OPK_ERROR;
 	}
 
-	ustar->data_size_remaining = strtol((char *) header->size, &size_end,
+	chksum_got = strtol((char *) header->chksum, &end,
+			OPKG_OPK_USTAR_NUM_BASE_);
+	chksum_exp = 0;
+	if (*end != '\0') {
+		return OPKG_OPK_ERROR;
+	}
+	for (i = 0; i < sizeof(header->chksum); ++i) {
+		header->chksum[i] = ' ';
+	}
+	header_uc = header;
+	for (i = 0; i < OPKG_OPK_USTAR_RECORD_SIZE; ++i) {
+		chksum_exp += header_uc[i];
+	}
+	if (chksum_got != chksum_exp) {
+		return OPKG_OPK_ERROR;
+	}
+
+	ustar->data_size_remaining = strtol((char *) header->size, &end,
 			OPKG_OPK_USTAR_NUM_BASE_);
-	if (*size_end != '\0') {
+	if (*end != '\0') {
 		return OPKG_OPK_ERROR;
 	}
 
--
cgit v0.9.1