|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
8cd64c |
From 14ec36e107a8c9af7d0a80c3571fe39b291ff1d4 Mon Sep 17 00:00:00 2001
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
8cd64c |
From: Prasad J Pandit <pjp@fedoraproject.org>
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
8cd64c |
Date: Mon, 13 Jan 2020 17:44:31 +0530
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
8cd64c |
Subject: [PATCH] slirp: tftp: restrict relative path access
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
8cd64c |
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
8cd64c |
tftp restricts relative or directory path access on Linux systems.
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
8cd64c |
Apply same restrictions on Windows systems too. It helps to avoid
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
8cd64c |
directory traversal issue.
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
8cd64c |
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
8cd64c |
Fixes: https://bugs.launchpad.net/qemu/+bug/1812451
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
8cd64c |
Reported-by: Peter Maydell <peter.maydell@linaro.org>
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
8cd64c |
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
8cd64c |
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
8cd64c |
Message-Id: <20200113121431.156708-1-ppandit@redhat.com>
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
8cd64c |
---
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
8cd64c |
src/tftp.c | 9 +++++++--
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
8cd64c |
1 file changed, 7 insertions(+), 2 deletions(-)
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
8cd64c |
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1fbe6a |
diff -up ./slirp4netns-2244b9b6461afeccad1678fac3d6e478c28b4ad6/vendor/libslirp/src/tftp.c.CVE-2020-7211 ./slirp4netns-2244b9b6461afeccad1678fac3d6e478c28b4ad6/vendor/libslirp/src/tftp.c
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1fbe6a |
--- slirp4netns-2244b9b6461afeccad1678fac3d6e478c28b4ad6/vendor/libslirp/src/tftp.c.CVE-2020-7211 2020-01-17 08:02:07.630600572 +0100
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1fbe6a |
+++ slirp4netns-2244b9b6461afeccad1678fac3d6e478c28b4ad6/vendor/libslirp/src/tftp.c 2020-01-17 08:02:07.632600595 +0100
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1fbe6a |
@@ -344,8 +344,13 @@ static void tftp_handle_rrq(Slirp *slirp
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1fbe6a |
k += 6; /* skipping octet */
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
8cd64c |
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1fbe6a |
/* do sanity checks on the filename */
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1fbe6a |
- if (!strncmp(req_fname, "../", 3) ||
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1fbe6a |
- req_fname[strlen(req_fname) - 1] == '/' || strstr(req_fname, "/../")) {
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1fbe6a |
+ if (
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
8cd64c |
+#ifdef G_OS_WIN32
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1fbe6a |
+ strstr(req_fname, "..\\") ||
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1fbe6a |
+ req_fname[strlen(req_fname) - 1] == '\\' ||
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
8cd64c |
+#endif
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1fbe6a |
+ strstr(req_fname, "../") ||
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1fbe6a |
+ req_fname[strlen(req_fname) - 1] == '/') {
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1fbe6a |
tftp_send_error(spt, 2, "Access violation", tp);
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1fbe6a |
return;
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1fbe6a |
}
|