[PATCH opkg] libopkg: move file size check after checksum verification

Baptiste Jonglez baptiste at bitsofnetworks.org
Mon Aug 24 06:53:00 EDT 2020 

From: Baptiste Jonglez <git at bitsofnetworks.org>

The file size check was added in cb6640381808dd ("libopkg: check for file
size mismatches").  Its purpose is to provide an additional line of
defense against hash collisions.

It is more user-friendly to tell the user that the checksum is wrong, so
move the file size check at the end.

Signed-off-by: Baptiste Jonglez <git at bitsofnetworks.org>
---
 libopkg/opkg_install.c | 48 +++++++++++++++++++++---------------------
 1 file changed, 24 insertions(+), 24 deletions(-)

diff --git a/libopkg/opkg_install.c b/libopkg/opkg_install.c
index 27c9484..183a1dc 100644
--- a/libopkg/opkg_install.c
+++ b/libopkg/opkg_install.c
@@ -1367,30 +1367,6 @@ int opkg_install_pkg(pkg_t * pkg, int from_upgrade)
 	}
 #endif
 
-	/* Check file size */
-	err = lstat(local_filename, &pkg_stat);
-
-	if (err) {
-		opkg_msg(ERROR, "Failed to stat %s: %s\n",
-		         local_filename, strerror(errno));
-		return -1;
-	}
-
-	pkg_expected_size = pkg_get_int(pkg, PKG_SIZE);
-
-	if (pkg_expected_size > 0 && pkg_stat.st_size != pkg_expected_size) {
-		if (!conf->force_checksum) {
-			opkg_msg(ERROR,
-			         "Package size mismatch: %s is %lld bytes, expecting %lld bytes\n",
-			         pkg->name, (long long int)pkg_stat.st_size, pkg_expected_size);
-			return -1;
-		} else {
-			opkg_msg(NOTICE,
-			         "Ignored %s size mismatch.\n",
-			         pkg->name);
-		}
-	}
-
 	/* Check for md5 values */
 	pkg_md5 = pkg_get_md5(pkg);
 	if (pkg_md5) {
@@ -1434,6 +1410,30 @@ int opkg_install_pkg(pkg_t * pkg, int from_upgrade)
 			free(file_sha256);
 	}
 
+	/* Check file size */
+	err = lstat(local_filename, &pkg_stat);
+
+	if (err) {
+		opkg_msg(ERROR, "Failed to stat %s: %s\n",
+		         local_filename, strerror(errno));
+		return -1;
+	}
+
+	pkg_expected_size = pkg_get_int(pkg, PKG_SIZE);
+
+	if (pkg_expected_size > 0 && pkg_stat.st_size != pkg_expected_size) {
+		if (!conf->force_checksum) {
+			opkg_msg(ERROR,
+			         "Package size mismatch: %s is %lld bytes, expecting %lld bytes\n",
+			         pkg->name, (long long int)pkg_stat.st_size, pkg_expected_size);
+			return -1;
+		} else {
+			opkg_msg(NOTICE,
+			         "Ignored %s size mismatch.\n",
+			         pkg->name);
+		}
+	}
+
 	if (conf->download_only) {
 		if (conf->nodeps == 0) {
 			err = satisfy_dependencies_for(pkg);
-- 
2.27.0

More information about the openwrt-devel mailing list