1 files changed, 83 insertions, 1 deletions

diff --git a/test/interactive-helper/createdeb-cve-2020-27350.cc b/test/interactive-helper/createdeb-cve-2020-27350.cc
index 9103c2137..7c58eb9df 100644
--- a/test/interactive-helper/createdeb-cve-2020-27350.cc
+++ b/test/interactive-helper/createdeb-cve-2020-27350.cc
@@ -142,8 +142,82 @@ static void set_checksum(unsigned char block[512])
    }
    snprintf(tar->Checksum, sizeof(tar->Checksum), "%o", sum);
 }
+static void base256_encode(char *Str, unsigned long long Num, unsigned int Len)
+{
+   Str += Len;
+   while (Len-- > 0) {
+      *--Str = static_cast<char>(Num & 0xff);
+      Num >>= 8;
+   }
+
+  *Str |= 0x80; // mark as base256
+}
+
+// Create a deb with a control.tar that contains a too large file or link name (GNU extension)
+static void createdeb_bigtarfilelength(const int fd, int flag, unsigned long long size = 64llu * 1024 * 1024 + 1)
+{
+   // Magic number
+   static const char *magic = "!<arch>\n";
+   write_chk(fd, magic, strlen(magic));
+
+   struct Header h;
+   memset(&h, ' ', sizeof(h));
+   memcpy(h.Name, "debian-binary/     ", sizeof(h.Name));
+   h.MTime[0] = '0';
+   h.UID[0] = '0';
+   h.GID[0] = '0';
+   memcpy(h.Mode, "644", 3);
+   h.Size[0] = '0';
+   memcpy(h.Magic, "`\n", 2);
+
+   write_chk(fd, &h, sizeof(h));
+
+   memset(&h, ' ', sizeof(h));
+   memcpy(h.Name, "data.tar/       ", sizeof(h.Name));
+   h.MTime[0] = '0';
+   h.UID[0] = '0';
+   h.GID[0] = '0';
+   memcpy(h.Mode, "644", 3);
+   h.Size[0] = '0';
+   memcpy(h.Magic, "`\n", 2);
+
+   write_chk(fd, &h, sizeof(h));
+
+   memset(&h, ' ', sizeof(h));
+   memcpy(h.Name, "control.tar/       ", sizeof(h.Name));
+   h.MTime[0] = '0';
+   h.UID[0] = '0';
+   h.GID[0] = '0';
+   memcpy(h.Mode, "644", 3);
+   memcpy(h.Size, "512", 3);
+   memcpy(h.Magic, "`\n", 2);
+
+   write_chk(fd, &h, sizeof(h));
+   union
+   {
+      struct TarHeader t;
+      unsigned char buf[512];
+   } t;
+   for (unsigned int i = 0; i < sizeof(t.buf); i++)
+      t.buf[i] = '7';
+   memcpy(t.t.Name, "control\0        ", 16);
+   memcpy(t.t.UserName, "userName", 8);
+   memcpy(t.t.GroupName, "thisIsAGroupNamethisIsAGroupName", 32);
+   t.t.LinkFlag = flag;
+   base256_encode(t.t.Size, size, sizeof(t.t.Size));
+   memset(t.t.Checksum, ' ', sizeof(t.t.Checksum));
+
+   unsigned long sum = 0;
+   for (unsigned int i = 0; i < sizeof(t.buf); i++)
+      sum += t.buf[i];
+
+   int written = sprintf(t.t.Checksum, "%lo", sum);
+   for (unsigned int i = written; i < sizeof(t.t.Checksum); i++)
+      t.t.Checksum[i] = ' ';
+
+   write_chk(fd, t.buf, sizeof(t.buf));
+}
 
-// This does not trigger a vulnerability. It is just a basis for exploration.
 static void createdeb_test(const int fd)
 {
    // Magic number
@@ -221,6 +295,14 @@ int main(int argc, char *argv[])
    {
       createdeb_leakfd(fd);
    }
+   else if (strcmp(mode, "long-name") == 0)
+   {
+      createdeb_bigtarfilelength(fd, 'L');
+   }
+   else if (strcmp(mode, "long-link") == 0)
+   {
+      createdeb_bigtarfilelength(fd, 'K');
+   }
    else if (strcmp(mode, "test") == 0)
    {
       createdeb_test(fd);