From 74061958f56a4626a3a146c72f16e43012e828f1 Mon Sep 17 00:00:00 2001

From: Phil Sutter <psutter@redhat.com>

Date: Thu, 14 Sep 2017 15:39:23 +0200

Subject: [PATCH] netns: avoid directory traversal

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1468529

Upstream Status: iproute2.git commit 79928fd0552b5

commit 79928fd0552b520aa36a22e71144d10a32f7e4fe

Author: Matteo Croce <mcroce@redhat.com>

Date:   Thu Jul 20 00:36:32 2017 +0200

    netns: avoid directory traversal

    ip netns keeps track of created namespaces with bind mounts named

    /var/run/netns/<namespace>. No input sanitization is done, allowing creation and

    deletion of files relatives to /var/run/netns or, if the path is non existent or

    invalid, allows to create "untracked" namespaces (invisible to the tool).

    This commit denies creation or deletion of namespaces with names contaning

    "/" or matching exactly "." or "..".

    Signed-off-by: Matteo Croce <mcroce@redhat.com>

---

 ip/ipnetns.c | 10 ++++++++++

 1 file changed, 10 insertions(+)

diff --git a/ip/ipnetns.c b/ip/ipnetns.c

index 0b0378a..4254994 100644

--- a/ip/ipnetns.c

+++ b/ip/ipnetns.c

@@ -766,6 +766,11 @@ static int netns_monitor(int argc, char **argv)

 	return 0;

 }

+static int invalid_name(const char *name)

+{

+	return strchr(name, '/') || !strcmp(name, ".") || !strcmp(name, "..");

+}

+

 int do_netns(int argc, char **argv)

 {

 	netns_nsid_socket_init();

@@ -775,6 +780,11 @@ int do_netns(int argc, char **argv)

 		return netns_list(0, NULL);

 	}

+	if (argc > 1 && invalid_name(argv[1])) {

+		fprintf(stderr, "Invalid netns name \"%s\"\n", argv[1]);

+		exit(-1);

+	}

+

 	if ((matches(*argv, "list") == 0) || (matches(*argv, "show") == 0) ||

 	    (matches(*argv, "lst") == 0)) {

 		netns_map_init();

-- 

1.8.3.1