platform/external/busybox.git - Unnamed repository; edit this file 'description' to name the repository.

1 /* vi: set sw=4 ts=4: */
2 /* Licensed under GPLv2 or later, see file LICENSE in this source tree.
3  *
4  * FIXME:
5  *    In privileged mode if uname and gname map to a uid and gid then use the
6  *    mapped value instead of the uid/gid values in tar header
7  *
8  * References:
9  *    GNU tar and star man pages,
10  *    Opengroup's ustar interchange format,
11  *    http://www.opengroup.org/onlinepubs/007904975/utilities/pax.html
12  */
13
14 #include "libbb.h"
15 #include "bb_archive.h"
16
17 typedef uint32_t aliased_uint32_t FIX_ALIASING;
18 typedef off_t    aliased_off_t    FIX_ALIASING;
19
20 /* NB: _DESTROYS_ str[len] character! */
21 static unsigned long long getOctal(char *str, int len)
22 {
23 	unsigned long long v;
24 	char *end;
25 	/* NB: leading spaces are allowed. Using strtoull to handle that.
26 	 * The downside is that we accept e.g. "-123" too :(
27 	 */
28 	str[len] = '\0';
29 	v = strtoull(str, &end, 8);
30 	/* std: "Each numeric field is terminated by one or more
31 	 * <space> or NUL characters". We must support ' '! */
32 	if (*end != '\0' && *end != ' ') {
33 		int8_t first = str[0];
34 		if (!(first & 0x80))
35 			bb_error_msg_and_die("corrupted octal value in tar header");
36 		/*
37 		 * GNU tar uses "base-256 encoding" for very large numbers.
38 		 * Encoding is binary, with highest bit always set as a marker
39 		 * and sign in next-highest bit:
40 		 * 80 00 .. 00 - zero
41 		 * bf ff .. ff - largest positive number
42 		 * ff ff .. ff - minus 1
43 		 * c0 00 .. 00 - smallest negative number
44 		 *
45 		 * Example of tar file with 8914993153 (0x213600001) byte file.
46 		 * Field starts at offset 7c:
47 		 * 00070  30 30 30 00 30 30 30 30  30 30 30 00 80 00 00 00  |000.0000000.....|
48 		 * 00080  00 00 00 02 13 60 00 01  31 31 31 32 30 33 33 36  |.....`..11120336|
49 		 *
50 		 * NB: tarballs with NEGATIVE unix times encoded that way were seen!
51 		 */
52 		/* Sign-extend 7bit 'first' to 64bit 'v' (that is, using 6th bit as sign): */
53 		first <<= 1;
54 		first >>= 1; /* now 7th bit = 6th bit */
55 		v = first;   /* sign-extend 8 bits to 64 */
56 		while (--len != 0)
57 			v = (v << 8) + (uint8_t) *++str;
58 	}
59 	return v;
60 }
61 #define GET_OCTAL(a) getOctal((a), sizeof(a))
62
63 #define TAR_EXTD (ENABLE_FEATURE_TAR_GNU_EXTENSIONS || ENABLE_FEATURE_TAR_SELINUX)
64 #if !TAR_EXTD
65 #define process_pax_hdr(archive_handle, sz, global) \
66 	process_pax_hdr(archive_handle, sz)
67 #endif
68 /* "global" is 0 or 1 */
69 static void process_pax_hdr(archive_handle_t *archive_handle, unsigned sz, int global)
70 {
71 #if !TAR_EXTD
72 	unsigned blk_sz = (sz + 511) & (~511);
73 	seek_by_read(archive_handle->src_fd, blk_sz);
74 #else
75 	unsigned blk_sz = (sz + 511) & (~511);
76 	char *buf, *p;
77
78 	p = buf = xmalloc(blk_sz + 1);
79 	xread(archive_handle->src_fd, buf, blk_sz);
80 	archive_handle->offset += blk_sz;
81
82 	/* prevent bb_strtou from running off the buffer */
83 	buf[sz] = '\0';
84
85 	while (sz != 0) {
86 		char *end, *value;
87 		unsigned len;
88
89 		/* Every record has this format: "LEN NAME=VALUE\n" */
90 		len = bb_strtou(p, &end, 10);
91 		/* expect errno to be EINVAL, because the character
92 		 * following the digits should be a space
93 		 */
94 		p += len;
95 		sz -= len;
96 		if (
97 		/** (int)sz < 0 - not good enough for huge malicious VALUE of 2^32-1 */
98 		    (int)(sz|len) < 0 /* this works */
99 		 || len == 0
100 		 || errno != EINVAL
101 		 || *end != ' '
102 		) {
103 			bb_error_msg("malformed extended header, skipped");
104 			// More verbose version:
105 			//bb_error_msg("malformed extended header at %"OFF_FMT"d, skipped",
106 			//		archive_handle->offset - (sz + len));
107 			break;
108 		}
109 		/* overwrite the terminating newline with NUL
110 		 * (we do not bother to check that it *was* a newline)
111 		 */
112 		p[-1] = '\0';
113 		value = end + 1;
114
115 # if ENABLE_FEATURE_TAR_GNU_EXTENSIONS
116 		if (!global) {
117 			if (is_prefixed_with(value, "path=")) {
118 				value += sizeof("path=") - 1;
119 				free(archive_handle->tar__longname);
120 				archive_handle->tar__longname = xstrdup(value);
121 				continue;
122 			}
123 			if (is_prefixed_with(value, "linkpath=")) {
124 				value += sizeof("linkpath=") - 1;
125 				free(archive_handle->tar__linkname);
126 				archive_handle->tar__linkname = xstrdup(value);
127 				continue;
128 			}
129 		}
130 # endif
131
132 # if ENABLE_FEATURE_TAR_SELINUX
133 		/* Scan for SELinux contexts, via "RHT.security.selinux" keyword.
134 		 * This is what Red Hat's patched version of tar uses.
135 		 */
136 #  define SELINUX_CONTEXT_KEYWORD "RHT.security.selinux"
137 		if (is_prefixed_with(value, SELINUX_CONTEXT_KEYWORD"=")) {
138 			value += sizeof(SELINUX_CONTEXT_KEYWORD"=") - 1;
139 			free(archive_handle->tar__sctx[global]);
140 			archive_handle->tar__sctx[global] = xstrdup(value);
141 			continue;
142 		}
143 # endif
144 	}
145
146 	free(buf);
147 #endif
148 }
149
150 char FAST_FUNC get_header_tar(archive_handle_t *archive_handle)
151 {
152 	file_header_t *file_header = archive_handle->file_header;
153 	struct tar_header_t tar;
154 	char *cp;
155 	int i, sum_u, sum;
156 #if ENABLE_FEATURE_TAR_OLDSUN_COMPATIBILITY
157 	int sum_s;
158 #endif
159 	int parse_names;
160
161 	/* Our "private data" */
162 #if ENABLE_FEATURE_TAR_GNU_EXTENSIONS
163 # define p_longname (archive_handle->tar__longname)
164 # define p_linkname (archive_handle->tar__linkname)
165 #else
166 # define p_longname 0
167 # define p_linkname 0
168 #endif
169
170 #if ENABLE_FEATURE_TAR_GNU_EXTENSIONS || ENABLE_FEATURE_TAR_SELINUX
171  again:
172 #endif
173 	/* Align header */
174 	data_align(archive_handle, 512);
175
176  again_after_align:
177
178 #if ENABLE_DESKTOP || ENABLE_FEATURE_TAR_AUTODETECT
179 	/* to prevent misdetection of bz2 sig */
180 	*(aliased_uint32_t*)&tar = 0;
181 	i = full_read(archive_handle->src_fd, &tar, 512);
182 	/* If GNU tar sees EOF in above read, it says:
183 	 * "tar: A lone zero block at N", where N = kilobyte
184 	 * where EOF was met (not EOF block, actual EOF!),
185 	 * and exits with EXIT_SUCCESS.
186 	 * We will mimic exit(EXIT_SUCCESS), although we will not mimic
187 	 * the message and we don't check whether we indeed
188 	 * saw zero block directly before this. */
189 	if (i == 0) {
190 		/* GNU tar 1.29 will be silent if tar archive ends abruptly
191 		 * (if there are no zero blocks at all, and last read returns zero,
192 		 * not short read 0 < len < 512). Complain only if
193 		 * the very first read fails. Grrr.
194 		 */
195 		if (archive_handle->offset == 0)
196 			bb_error_msg("short read");
197 		/* this merely signals end of archive, not exit(1): */
198 		return EXIT_FAILURE;
199 	}
200 	if (i != 512) {
201 		IF_FEATURE_TAR_AUTODETECT(goto autodetect;)
202 		bb_error_msg_and_die("short read");
203 	}
204
205 #else
206 	i = 512;
207 	xread(archive_handle->src_fd, &tar, i);
208 #endif
209 	archive_handle->offset += i;
210
211 	/* If there is no filename its an empty header */
212 	if (tar.name[0] == 0 && tar.prefix[0] == 0
213 	/* Have seen a tar archive with pax 'x' header supplying UTF8 filename,
214 	 * with actual file having all name fields NUL-filled. Check this: */
215 	 && !p_longname
216 	) {
217 		if (archive_handle->tar__end) {
218 			/* Second consecutive empty header - end of archive.
219 			 * Read until the end to empty the pipe from gz or bz2
220 			 */
221 			while (full_read(archive_handle->src_fd, &tar, 512) == 512)
222 				continue;
223 			return EXIT_FAILURE; /* "end of archive" */
224 		}
225 		archive_handle->tar__end = 1;
226 		return EXIT_SUCCESS; /* "decoded one header" */
227 	}
228 	archive_handle->tar__end = 0;
229
230 	/* Check header has valid magic, "ustar" is for the proper tar,
231 	 * five NULs are for the old tar format  */
232 	if (!is_prefixed_with(tar.magic, "ustar")
233 	 && (!ENABLE_FEATURE_TAR_OLDGNU_COMPATIBILITY
234 	     || memcmp(tar.magic, "\0\0\0\0", 5) != 0)
235 	) {
236 #if ENABLE_FEATURE_TAR_AUTODETECT
237  autodetect:
238 		/* Two different causes for lseek() != 0:
239 		 * unseekable fd (would like to support that too, but...),
240 		 * or not first block (false positive, it's not .gz/.bz2!) */
241 		if (lseek(archive_handle->src_fd, -i, SEEK_CUR) != 0)
242 			goto err;
243 		if (setup_unzip_on_fd(archive_handle->src_fd, /*fail_if_not_compressed:*/ 0) != 0)
244  err:
245 			bb_error_msg_and_die("invalid tar magic");
246 		archive_handle->offset = 0;
247 		goto again_after_align;
248 #endif
249 		bb_error_msg_and_die("invalid tar magic");
250 	}
251
252 	/* Do checksum on headers.
253 	 * POSIX says that checksum is done on unsigned bytes, but
254 	 * Sun and HP-UX gets it wrong... more details in
255 	 * GNU tar source. */
256 #if ENABLE_FEATURE_TAR_OLDSUN_COMPATIBILITY
257 	sum_s = ' ' * sizeof(tar.chksum);
258 #endif
259 	sum_u = ' ' * sizeof(tar.chksum);
260 	for (i = 0; i < 148; i++) {
261 		sum_u += ((unsigned char*)&tar)[i];
262 #if ENABLE_FEATURE_TAR_OLDSUN_COMPATIBILITY
263 		sum_s += ((signed char*)&tar)[i];
264 #endif
265 	}
266 	for (i = 156; i < 512; i++) {
267 		sum_u += ((unsigned char*)&tar)[i];
268 #if ENABLE_FEATURE_TAR_OLDSUN_COMPATIBILITY
269 		sum_s += ((signed char*)&tar)[i];
270 #endif
271 	}
272 	/* This field does not need special treatment (getOctal) */
273 	{
274 		char *endp; /* gcc likes temp var for &endp */
275 		sum = strtoul(tar.chksum, &endp, 8);
276 		if ((*endp != '\0' && *endp != ' ')
277 		 || (sum_u != sum IF_FEATURE_TAR_OLDSUN_COMPATIBILITY(&& sum_s != sum))
278 		) {
279 			bb_error_msg_and_die("invalid tar header checksum");
280 		}
281 	}
282 	/* don't use xstrtoul, tar.chksum may have leading spaces */
283 	sum = strtoul(tar.chksum, NULL, 8);
284 	if (sum_u != sum IF_FEATURE_TAR_OLDSUN_COMPATIBILITY(&& sum_s != sum)) {
285 		bb_error_msg_and_die("invalid tar header checksum");
286 	}
287
288 	/* 0 is reserved for high perf file, treat as normal file */
289 	if (!tar.typeflag) tar.typeflag = '0';
290 	parse_names = (tar.typeflag >= '0' && tar.typeflag <= '7');
291
292 	/* getOctal trashes subsequent field, therefore we call it
293 	 * on fields in reverse order */
294 	if (tar.devmajor[0]) {
295 		char t = tar.prefix[0];
296 		/* we trash prefix[0] here, but we DO need it later! */
297 		unsigned minor = GET_OCTAL(tar.devminor);
298 		unsigned major = GET_OCTAL(tar.devmajor);
299 		file_header->device = makedev(major, minor);
300 		tar.prefix[0] = t;
301 	}
302 	file_header->link_target = NULL;
303 	if (!p_linkname && parse_names && tar.linkname[0]) {
304 		file_header->link_target = xstrndup(tar.linkname, sizeof(tar.linkname));
305 		/* FIXME: what if we have non-link object with link_target? */
306 		/* Will link_target be free()ed? */
307 	}
308 #if ENABLE_FEATURE_TAR_UNAME_GNAME
309 	file_header->tar__uname = tar.uname[0] ? xstrndup(tar.uname, sizeof(tar.uname)) : NULL;
310 	file_header->tar__gname = tar.gname[0] ? xstrndup(tar.gname, sizeof(tar.gname)) : NULL;
311 #endif
312 	file_header->mtime = GET_OCTAL(tar.mtime);
313 	file_header->size = GET_OCTAL(tar.size);
314 	file_header->gid = GET_OCTAL(tar.gid);
315 	file_header->uid = GET_OCTAL(tar.uid);
316 	/* Set bits 0-11 of the files mode */
317 	file_header->mode = 07777 & GET_OCTAL(tar.mode);
318
319 	file_header->name = NULL;
320 	if (!p_longname && parse_names) {
321 		/* we trash mode[0] here, it's ok */
322 		//tar.name[sizeof(tar.name)] = '\0'; - gcc 4.3.0 would complain
323 		tar.mode[0] = '\0';
324 		if (tar.prefix[0]) {
325 			/* and padding[0] */
326 			//tar.prefix[sizeof(tar.prefix)] = '\0'; - gcc 4.3.0 would complain
327 			tar.padding[0] = '\0';
328 			file_header->name = concat_path_file(tar.prefix, tar.name);
329 		} else
330 			file_header->name = xstrdup(tar.name);
331 	}
332
333 	/* Set bits 12-15 of the files mode */
334 	/* (typeflag was not trashed because chksum does not use getOctal) */
335 	switch (tar.typeflag) {
336 	case '1': /* hardlink */
337 		/* we mark hardlinks as regular files with zero size and a link name */
338 		file_header->mode |= S_IFREG;
339 		/* on size of link fields from star(4)
340 		 * ... For tar archives written by pre POSIX.1-1988
341 		 * implementations, the size field usually contains the size of
342 		 * the file and needs to be ignored as no data may follow this
343 		 * header type.  For POSIX.1- 1988 compliant archives, the size
344 		 * field needs to be 0.  For POSIX.1-2001 compliant archives,
345 		 * the size field may be non zero, indicating that file data is
346 		 * included in the archive.
347 		 * i.e; always assume this is zero for safety.
348 		 */
349 		goto size0;
350 	case '7':
351 	/* case 0: */
352 	case '0':
353 #if ENABLE_FEATURE_TAR_OLDGNU_COMPATIBILITY
354 		if (last_char_is(file_header->name, '/')) {
355 			goto set_dir;
356 		}
357 #endif
358 		file_header->mode |= S_IFREG;
359 		break;
360 	case '2':
361 		file_header->mode |= S_IFLNK;
362 		/* have seen tarballs with size field containing
363 		 * the size of the link target's name */
364  size0:
365 		file_header->size = 0;
366 		break;
367 	case '3':
368 		file_header->mode |= S_IFCHR;
369 		goto size0; /* paranoia */
370 	case '4':
371 		file_header->mode |= S_IFBLK;
372 		goto size0;
373 	case '5':
374  IF_FEATURE_TAR_OLDGNU_COMPATIBILITY(set_dir:)
375 		file_header->mode |= S_IFDIR;
376 		goto size0;
377 	case '6':
378 		file_header->mode |= S_IFIFO;
379 		goto size0;
380 	case 'g':	/* pax global header */
381 	case 'x': {	/* pax extended header */
382 		if ((uoff_t)file_header->size > 0xfffff) /* paranoia */
383 			goto skip_ext_hdr;
384 		process_pax_hdr(archive_handle, file_header->size, (tar.typeflag == 'g'));
385 		goto again_after_align;
386 #if ENABLE_FEATURE_TAR_GNU_EXTENSIONS
387 /* See http://www.gnu.org/software/tar/manual/html_node/Extensions.html */
388 	case 'L':
389 		/* free: paranoia: tar with several consecutive longnames */
390 		free(p_longname);
391 		/* For paranoia reasons we allocate extra NUL char */
392 		p_longname = xzalloc(file_header->size + 1);
393 		/* We read ASCIZ string, including NUL */
394 		xread(archive_handle->src_fd, p_longname, file_header->size);
395 		archive_handle->offset += file_header->size;
396 		/* return get_header_tar(archive_handle); */
397 		/* gcc 4.1.1 didn't optimize it into jump */
398 		/* so we will do it ourself, this also saves stack */
399 		goto again;
400 	case 'K':
401 		free(p_linkname);
402 		p_linkname = xzalloc(file_header->size + 1);
403 		xread(archive_handle->src_fd, p_linkname, file_header->size);
404 		archive_handle->offset += file_header->size;
405 		/* return get_header_tar(archive_handle); */
406 		goto again;
407 /*
408  *	case 'S':	// Sparse file
409  * Was seen in the wild. Not supported (yet?).
410  * See https://www.gnu.org/software/tar/manual/html_section/tar_92.html
411  * for the format. (An "Old GNU Format" was seen, not PAX formats).
412  */
413 //	case 'D':	/* GNU dump dir */
414 //	case 'M':	/* Continuation of multi volume archive */
415 //	case 'N':	/* Old GNU for names > 100 characters */
416 //	case 'V':	/* Volume header */
417 #endif
418 	}
419  skip_ext_hdr:
420 	{
421 		off_t sz;
422 		bb_error_msg("warning: skipping header '%c'", tar.typeflag);
423 		sz = (file_header->size + 511) & ~(off_t)511;
424 		archive_handle->offset += sz;
425 		sz >>= 9; /* sz /= 512 but w/o contortions for signed div */
426 		while (sz--)
427 			xread(archive_handle->src_fd, &tar, 512);
428 		/* return get_header_tar(archive_handle); */
429 		goto again_after_align;
430 	}
431 	default:
432 		bb_error_msg_and_die("unknown typeflag: 0x%x", tar.typeflag);
433 	}
434
435 #if ENABLE_FEATURE_TAR_GNU_EXTENSIONS
436 	if (p_longname) {
437 		file_header->name = p_longname;
438 		p_longname = NULL;
439 	}
440 	if (p_linkname) {
441 		file_header->link_target = p_linkname;
442 		p_linkname = NULL;
443 	}
444 #endif
445
446 	/* Everything up to and including last ".." component is stripped */
447 	overlapping_strcpy(file_header->name, strip_unsafe_prefix(file_header->name));
448 //TODO: do the same for file_header->link_target?
449
450 	/* Strip trailing '/' in directories */
451 	/* Must be done after mode is set as '/' is used to check if it's a directory */
452 	cp = last_char_is(file_header->name, '/');
453
454 	if (archive_handle->filter(archive_handle) == EXIT_SUCCESS) {
455 		archive_handle->action_header(/*archive_handle->*/ file_header);
456 		/* Note that we kill the '/' only after action_header() */
457 		/* (like GNU tar 1.15.1: verbose mode outputs "dir/dir/") */
458 		if (cp)
459 			*cp = '\0';
460 		archive_handle->action_data(archive_handle);
461 		if (archive_handle->accept || archive_handle->reject
462 		 || (archive_handle->ah_flags & ARCHIVE_REMEMBER_NAMES)
463 		) {
464 			llist_add_to(&archive_handle->passed, file_header->name);
465 		} else /* Caller isn't interested in list of unpacked files */
466 			free(file_header->name);
467 	} else {
468 		data_skip(archive_handle);
469 		free(file_header->name);
470 	}
471 	archive_handle->offset += file_header->size;
472
473 	free(file_header->link_target);
474 	/* Do not free(file_header->name)!
475 	 * It might be inserted in archive_handle->passed - see above */
476 #if ENABLE_FEATURE_TAR_UNAME_GNAME
477 	free(file_header->tar__uname);
478 	free(file_header->tar__gname);
479 #endif
480 	return EXIT_SUCCESS; /* "decoded one header" */
481 }
482
1	/* vi: set sw=4 ts=4: */
2	/* Licensed under GPLv2 or later, see file LICENSE in this source tree.
3	*
4	* FIXME:
5	* In privileged mode if uname and gname map to a uid and gid then use the
6	* mapped value instead of the uid/gid values in tar header
7	*
8	* References:
9	* GNU tar and star man pages,
10	* Opengroup's ustar interchange format,
11	* http://www.opengroup.org/onlinepubs/007904975/utilities/pax.html
12	*/
13
14	#include "libbb.h"
15	#include "bb_archive.h"
16
17	typedef uint32_t aliased_uint32_t FIX_ALIASING;
18	typedef off_t aliased_off_t FIX_ALIASING;
19
20	/* NB: _DESTROYS_ str[len] character! */
21	static unsigned long long getOctal(char *str, int len)
22	{
23	unsigned long long v;
24	char *end;
25	/* NB: leading spaces are allowed. Using strtoull to handle that.
26	* The downside is that we accept e.g. "-123" too :(
27	*/
28	str[len] = '\0';
29	v = strtoull(str, &end, 8);
30	/* std: "Each numeric field is terminated by one or more
31	* <space> or NUL characters". We must support ' '! */
32	if (end != '\0' && end != ' ') {
33	int8_t first = str[0];
34	if (!(first & 0x80))
35	bb_error_msg_and_die("corrupted octal value in tar header");
36	/*
37	* GNU tar uses "base-256 encoding" for very large numbers.
38	* Encoding is binary, with highest bit always set as a marker
39	* and sign in next-highest bit:
40	* 80 00 .. 00 - zero
41	* bf ff .. ff - largest positive number
42	* ff ff .. ff - minus 1
43	* c0 00 .. 00 - smallest negative number
44	*
45	* Example of tar file with 8914993153 (0x213600001) byte file.
46	* Field starts at offset 7c:
47	* 00070 30 30 30 00 30 30 30 30 30 30 30 00 80 00 00 00 \|000.0000000.....\|
48	* 00080 00 00 00 02 13 60 00 01 31 31 31 32 30 33 33 36 \|.....`..11120336\|
49	*
50	* NB: tarballs with NEGATIVE unix times encoded that way were seen!
51	*/
52	/* Sign-extend 7bit 'first' to 64bit 'v' (that is, using 6th bit as sign): */
53	first <<= 1;
54	first >>= 1; /* now 7th bit = 6th bit */
55	v = first; /* sign-extend 8 bits to 64 */
56	while (--len != 0)
57	v = (v << 8) + (uint8_t) *++str;
58	}
59	return v;
60	}
61	#define GET_OCTAL(a) getOctal((a), sizeof(a))
62
63	#define TAR_EXTD (ENABLE_FEATURE_TAR_GNU_EXTENSIONS \|\| ENABLE_FEATURE_TAR_SELINUX)
64	#if !TAR_EXTD
65	#define process_pax_hdr(archive_handle, sz, global) \
66	process_pax_hdr(archive_handle, sz)
67	#endif
68	/* "global" is 0 or 1 */
69	static void process_pax_hdr(archive_handle_t *archive_handle, unsigned sz, int global)
70	{
71	#if !TAR_EXTD
72	unsigned blk_sz = (sz + 511) & (~511);
73	seek_by_read(archive_handle->src_fd, blk_sz);
74	#else
75	unsigned blk_sz = (sz + 511) & (~511);
76	char buf, p;
77
78	p = buf = xmalloc(blk_sz + 1);
79	xread(archive_handle->src_fd, buf, blk_sz);
80	archive_handle->offset += blk_sz;
81
82	/* prevent bb_strtou from running off the buffer */
83	buf[sz] = '\0';
84
85	while (sz != 0) {
86	char end, value;
87	unsigned len;
88
89	/* Every record has this format: "LEN NAME=VALUE\n" */
90	len = bb_strtou(p, &end, 10);
91	/* expect errno to be EINVAL, because the character
92	* following the digits should be a space
93	*/
94	p += len;
95	sz -= len;
96	if (
97	/** (int)sz < 0 - not good enough for huge malicious VALUE of 2^32-1 */
98	(int)(sz\|len) < 0 /* this works */
99	\|\| len == 0
100	\|\| errno != EINVAL
101	\|\| *end != ' '
102	) {
103	bb_error_msg("malformed extended header, skipped");
104	// More verbose version:
105	//bb_error_msg("malformed extended header at %"OFF_FMT"d, skipped",
106	// archive_handle->offset - (sz + len));
107	break;
108	}
109	/* overwrite the terminating newline with NUL
110	* (we do not bother to check that it was a newline)
111	*/
112	p[-1] = '\0';
113	value = end + 1;
114
115	# if ENABLE_FEATURE_TAR_GNU_EXTENSIONS
116	if (!global) {
117	if (is_prefixed_with(value, "path=")) {
118	value += sizeof("path=") - 1;
119	free(archive_handle->tar__longname);
120	archive_handle->tar__longname = xstrdup(value);
121	continue;
122	}
123	if (is_prefixed_with(value, "linkpath=")) {
124	value += sizeof("linkpath=") - 1;
125	free(archive_handle->tar__linkname);
126	archive_handle->tar__linkname = xstrdup(value);
127	continue;
128	}
129	}
130	# endif
131
132	# if ENABLE_FEATURE_TAR_SELINUX
133	/* Scan for SELinux contexts, via "RHT.security.selinux" keyword.
134	* This is what Red Hat's patched version of tar uses.
135	*/
136	# define SELINUX_CONTEXT_KEYWORD "RHT.security.selinux"
137	if (is_prefixed_with(value, SELINUX_CONTEXT_KEYWORD"=")) {
138	value += sizeof(SELINUX_CONTEXT_KEYWORD"=") - 1;
139	free(archive_handle->tar__sctx[global]);
140	archive_handle->tar__sctx[global] = xstrdup(value);
141	continue;
142	}
143	# endif
144	}
145
146	free(buf);
147	#endif
148	}
149
150	char FAST_FUNC get_header_tar(archive_handle_t *archive_handle)
151	{
152	file_header_t *file_header = archive_handle->file_header;
153	struct tar_header_t tar;
154	char *cp;
155	int i, sum_u, sum;
156	#if ENABLE_FEATURE_TAR_OLDSUN_COMPATIBILITY
157	int sum_s;
158	#endif
159	int parse_names;
160
161	/* Our "private data" */
162	#if ENABLE_FEATURE_TAR_GNU_EXTENSIONS
163	# define p_longname (archive_handle->tar__longname)
164	# define p_linkname (archive_handle->tar__linkname)
165	#else
166	# define p_longname 0
167	# define p_linkname 0
168	#endif
169
170	#if ENABLE_FEATURE_TAR_GNU_EXTENSIONS \|\| ENABLE_FEATURE_TAR_SELINUX
171	again:
172	#endif
173	/* Align header */
174	data_align(archive_handle, 512);
175
176	again_after_align:
177
178	#if ENABLE_DESKTOP \|\| ENABLE_FEATURE_TAR_AUTODETECT
179	/* to prevent misdetection of bz2 sig */
180	(aliased_uint32_t)&tar = 0;
181	i = full_read(archive_handle->src_fd, &tar, 512);
182	/* If GNU tar sees EOF in above read, it says:
183	* "tar: A lone zero block at N", where N = kilobyte
184	* where EOF was met (not EOF block, actual EOF!),
185	* and exits with EXIT_SUCCESS.
186	* We will mimic exit(EXIT_SUCCESS), although we will not mimic
187	* the message and we don't check whether we indeed
188	* saw zero block directly before this. */
189	if (i == 0) {
190	/* GNU tar 1.29 will be silent if tar archive ends abruptly
191	* (if there are no zero blocks at all, and last read returns zero,
192	* not short read 0 < len < 512). Complain only if
193	* the very first read fails. Grrr.
194	*/
195	if (archive_handle->offset == 0)
196	bb_error_msg("short read");
197	/* this merely signals end of archive, not exit(1): */
198	return EXIT_FAILURE;
199	}
200	if (i != 512) {
201	IF_FEATURE_TAR_AUTODETECT(goto autodetect;)
202	bb_error_msg_and_die("short read");
203	}
204
205	#else
206	i = 512;
207	xread(archive_handle->src_fd, &tar, i);
208	#endif
209	archive_handle->offset += i;
210
211	/* If there is no filename its an empty header */
212	if (tar.name[0] == 0 && tar.prefix[0] == 0
213	/* Have seen a tar archive with pax 'x' header supplying UTF8 filename,
214	* with actual file having all name fields NUL-filled. Check this: */
215	&& !p_longname
216	) {
217	if (archive_handle->tar__end) {
218	/* Second consecutive empty header - end of archive.
219	* Read until the end to empty the pipe from gz or bz2
220	*/
221	while (full_read(archive_handle->src_fd, &tar, 512) == 512)
222	continue;
223	return EXIT_FAILURE; /* "end of archive" */
224	}
225	archive_handle->tar__end = 1;
226	return EXIT_SUCCESS; /* "decoded one header" */
227	}
228	archive_handle->tar__end = 0;
229
230	/* Check header has valid magic, "ustar" is for the proper tar,
231	* five NULs are for the old tar format */
232	if (!is_prefixed_with(tar.magic, "ustar")
233	&& (!ENABLE_FEATURE_TAR_OLDGNU_COMPATIBILITY
234	\|\| memcmp(tar.magic, "\0\0\0\0", 5) != 0)
235	) {
236	#if ENABLE_FEATURE_TAR_AUTODETECT
237	autodetect:
238	/* Two different causes for lseek() != 0:
239	* unseekable fd (would like to support that too, but...),
240	* or not first block (false positive, it's not .gz/.bz2!) */
241	if (lseek(archive_handle->src_fd, -i, SEEK_CUR) != 0)
242	goto err;
243	if (setup_unzip_on_fd(archive_handle->src_fd, /fail_if_not_compressed:/ 0) != 0)
244	err:
245	bb_error_msg_and_die("invalid tar magic");
246	archive_handle->offset = 0;
247	goto again_after_align;
248	#endif
249	bb_error_msg_and_die("invalid tar magic");
250	}
251
252	/* Do checksum on headers.
253	* POSIX says that checksum is done on unsigned bytes, but
254	* Sun and HP-UX gets it wrong... more details in
255	* GNU tar source. */
256	#if ENABLE_FEATURE_TAR_OLDSUN_COMPATIBILITY
257	sum_s = ' ' * sizeof(tar.chksum);
258	#endif
259	sum_u = ' ' * sizeof(tar.chksum);
260	for (i = 0; i < 148; i++) {
261	sum_u += ((unsigned char*)&tar)[i];
262	#if ENABLE_FEATURE_TAR_OLDSUN_COMPATIBILITY
263	sum_s += ((signed char*)&tar)[i];
264	#endif
265	}
266	for (i = 156; i < 512; i++) {
267	sum_u += ((unsigned char*)&tar)[i];
268	#if ENABLE_FEATURE_TAR_OLDSUN_COMPATIBILITY
269	sum_s += ((signed char*)&tar)[i];
270	#endif
271	}
272	/* This field does not need special treatment (getOctal) */
273	{
274	char endp; / gcc likes temp var for &endp */
275	sum = strtoul(tar.chksum, &endp, 8);
276	if ((endp != '\0' && endp != ' ')
277	\|\| (sum_u != sum IF_FEATURE_TAR_OLDSUN_COMPATIBILITY(&& sum_s != sum))
278	) {
279	bb_error_msg_and_die("invalid tar header checksum");
280	}
281	}
282	/* don't use xstrtoul, tar.chksum may have leading spaces */
283	sum = strtoul(tar.chksum, NULL, 8);
284	if (sum_u != sum IF_FEATURE_TAR_OLDSUN_COMPATIBILITY(&& sum_s != sum)) {
285	bb_error_msg_and_die("invalid tar header checksum");
286	}
287
288	/* 0 is reserved for high perf file, treat as normal file */
289	if (!tar.typeflag) tar.typeflag = '0';
290	parse_names = (tar.typeflag >= '0' && tar.typeflag <= '7');
291
292	/* getOctal trashes subsequent field, therefore we call it
293	* on fields in reverse order */
294	if (tar.devmajor[0]) {
295	char t = tar.prefix[0];
296	/* we trash prefix[0] here, but we DO need it later! */
297	unsigned minor = GET_OCTAL(tar.devminor);
298	unsigned major = GET_OCTAL(tar.devmajor);
299	file_header->device = makedev(major, minor);
300	tar.prefix[0] = t;
301	}
302	file_header->link_target = NULL;
303	if (!p_linkname && parse_names && tar.linkname[0]) {
304	file_header->link_target = xstrndup(tar.linkname, sizeof(tar.linkname));
305	/* FIXME: what if we have non-link object with link_target? */
306	/* Will link_target be free()ed? */
307	}
308	#if ENABLE_FEATURE_TAR_UNAME_GNAME
309	file_header->tar__uname = tar.uname[0] ? xstrndup(tar.uname, sizeof(tar.uname)) : NULL;
310	file_header->tar__gname = tar.gname[0] ? xstrndup(tar.gname, sizeof(tar.gname)) : NULL;
311	#endif
312	file_header->mtime = GET_OCTAL(tar.mtime);
313	file_header->size = GET_OCTAL(tar.size);
314	file_header->gid = GET_OCTAL(tar.gid);
315	file_header->uid = GET_OCTAL(tar.uid);
316	/* Set bits 0-11 of the files mode */
317	file_header->mode = 07777 & GET_OCTAL(tar.mode);
318
319	file_header->name = NULL;
320	if (!p_longname && parse_names) {
321	/* we trash mode[0] here, it's ok */
322	//tar.name[sizeof(tar.name)] = '\0'; - gcc 4.3.0 would complain
323	tar.mode[0] = '\0';
324	if (tar.prefix[0]) {
325	/* and padding[0] */
326	//tar.prefix[sizeof(tar.prefix)] = '\0'; - gcc 4.3.0 would complain
327	tar.padding[0] = '\0';
328	file_header->name = concat_path_file(tar.prefix, tar.name);
329	} else
330	file_header->name = xstrdup(tar.name);
331	}
332
333	/* Set bits 12-15 of the files mode */
334	/* (typeflag was not trashed because chksum does not use getOctal) */
335	switch (tar.typeflag) {
336	case '1': /* hardlink */
337	/* we mark hardlinks as regular files with zero size and a link name */
338	file_header->mode \|= S_IFREG;
339	/* on size of link fields from star(4)
340	* ... For tar archives written by pre POSIX.1-1988
341	* implementations, the size field usually contains the size of
342	* the file and needs to be ignored as no data may follow this
343	* header type. For POSIX.1- 1988 compliant archives, the size
344	* field needs to be 0. For POSIX.1-2001 compliant archives,
345	* the size field may be non zero, indicating that file data is
346	* included in the archive.
347	* i.e; always assume this is zero for safety.
348	*/
349	goto size0;
350	case '7':
351	/* case 0: */
352	case '0':
353	#if ENABLE_FEATURE_TAR_OLDGNU_COMPATIBILITY
354	if (last_char_is(file_header->name, '/')) {
355	goto set_dir;
356	}
357	#endif
358	file_header->mode \|= S_IFREG;
359	break;
360	case '2':
361	file_header->mode \|= S_IFLNK;
362	/* have seen tarballs with size field containing
363	* the size of the link target's name */
364	size0:
365	file_header->size = 0;
366	break;
367	case '3':
368	file_header->mode \|= S_IFCHR;
369	goto size0; /* paranoia */
370	case '4':
371	file_header->mode \|= S_IFBLK;
372	goto size0;
373	case '5':
374	IF_FEATURE_TAR_OLDGNU_COMPATIBILITY(set_dir:)
375	file_header->mode \|= S_IFDIR;
376	goto size0;
377	case '6':
378	file_header->mode \|= S_IFIFO;
379	goto size0;
380	case 'g': /* pax global header */
381	case 'x': { /* pax extended header */
382	if ((uoff_t)file_header->size > 0xfffff) /* paranoia */
383	goto skip_ext_hdr;
384	process_pax_hdr(archive_handle, file_header->size, (tar.typeflag == 'g'));
385	goto again_after_align;
386	#if ENABLE_FEATURE_TAR_GNU_EXTENSIONS
387	/* See http://www.gnu.org/software/tar/manual/html_node/Extensions.html */
388	case 'L':
389	/* free: paranoia: tar with several consecutive longnames */
390	free(p_longname);
391	/* For paranoia reasons we allocate extra NUL char */
392	p_longname = xzalloc(file_header->size + 1);
393	/* We read ASCIZ string, including NUL */
394	xread(archive_handle->src_fd, p_longname, file_header->size);
395	archive_handle->offset += file_header->size;
396	/* return get_header_tar(archive_handle); */
397	/* gcc 4.1.1 didn't optimize it into jump */
398	/* so we will do it ourself, this also saves stack */
399	goto again;
400	case 'K':
401	free(p_linkname);
402	p_linkname = xzalloc(file_header->size + 1);
403	xread(archive_handle->src_fd, p_linkname, file_header->size);
404	archive_handle->offset += file_header->size;
405	/* return get_header_tar(archive_handle); */
406	goto again;
407	/*
408	* case 'S': // Sparse file
409	* Was seen in the wild. Not supported (yet?).
410	* See https://www.gnu.org/software/tar/manual/html_section/tar_92.html
411	* for the format. (An "Old GNU Format" was seen, not PAX formats).
412	*/
413	// case 'D': /* GNU dump dir */
414	// case 'M': /* Continuation of multi volume archive */
415	// case 'N': /* Old GNU for names > 100 characters */
416	// case 'V': /* Volume header */
417	#endif
418	}
419	skip_ext_hdr:
420	{
421	off_t sz;
422	bb_error_msg("warning: skipping header '%c'", tar.typeflag);
423	sz = (file_header->size + 511) & ~(off_t)511;
424	archive_handle->offset += sz;
425	sz >>= 9; /* sz /= 512 but w/o contortions for signed div */
426	while (sz--)
427	xread(archive_handle->src_fd, &tar, 512);
428	/* return get_header_tar(archive_handle); */
429	goto again_after_align;
430	}
431	default:
432	bb_error_msg_and_die("unknown typeflag: 0x%x", tar.typeflag);
433	}
434
435	#if ENABLE_FEATURE_TAR_GNU_EXTENSIONS
436	if (p_longname) {
437	file_header->name = p_longname;
438	p_longname = NULL;
439	}
440	if (p_linkname) {
441	file_header->link_target = p_linkname;
442	p_linkname = NULL;
443	}
444	#endif
445
446	/* Everything up to and including last ".." component is stripped */
447	overlapping_strcpy(file_header->name, strip_unsafe_prefix(file_header->name));
448	//TODO: do the same for file_header->link_target?
449
450	/* Strip trailing '/' in directories */
451	/* Must be done after mode is set as '/' is used to check if it's a directory */
452	cp = last_char_is(file_header->name, '/');
453
454	if (archive_handle->filter(archive_handle) == EXIT_SUCCESS) {
455	archive_handle->action_header(/archive_handle->/ file_header);
456	/* Note that we kill the '/' only after action_header() */
457	/* (like GNU tar 1.15.1: verbose mode outputs "dir/dir/") */
458	if (cp)
459	*cp = '\0';
460	archive_handle->action_data(archive_handle);
461	if (archive_handle->accept \|\| archive_handle->reject
462	\|\| (archive_handle->ah_flags & ARCHIVE_REMEMBER_NAMES)
463	) {
464	llist_add_to(&archive_handle->passed, file_header->name);
465	} else /* Caller isn't interested in list of unpacked files */
466	free(file_header->name);
467	} else {
468	data_skip(archive_handle);
469	free(file_header->name);
470	}
471	archive_handle->offset += file_header->size;
472
473	free(file_header->link_target);
474	/* Do not free(file_header->name)!
475	* It might be inserted in archive_handle->passed - see above */
476	#if ENABLE_FEATURE_TAR_UNAME_GNAME
477	free(file_header->tar__uname);
478	free(file_header->tar__gname);
479	#endif
480	return EXIT_SUCCESS; /* "decoded one header" */
481	}
482