Commit cb664038 authored by Jo-Philipp Wich's avatar Jo-Philipp Wich
Browse files

libopkg: check for file size mismatches

Reject package files whose file size deviates from the size specified
in the package index in order to complicate producing hash collisions.


Signed-off-by: default avatarJo-Philipp Wich <>
parent 7708a01a
......@@ -1255,6 +1255,7 @@ int opkg_install_pkg(pkg_t * pkg, int from_upgrade)
char *file_sha256, *pkg_sha256;
sigset_t newset, oldset;
const char *local_filename;
struct stat pkg_stat;
time_t now;
if (from_upgrade)
......@@ -1366,6 +1367,29 @@ int opkg_install_pkg(pkg_t * pkg, int from_upgrade)
/* Check file size */
err = lstat(local_filename, &pkg_stat);
if (err) {
opkg_msg(ERROR, "Failed to stat %s: %s\n",
local_filename, strerror(errno));
return -1;
if (pkg_stat.st_size != pkg_get_int(pkg, PKG_SIZE)) {
if (!conf->force_checksum) {
"Package size mismatch: %s is %lld bytes, expecting %lld bytes\n",
pkg->name, (long long int)pkg_stat.st_size,
(long long int)pkg_get_int(pkg, PKG_SIZE));
return -1;
} else {
"Ignored %s size mismatch.\n",
/* Check for md5 values */
pkg_md5 = pkg_get_md5(pkg);
if (pkg_md5) {
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment