From 14ec36e107a8c9af7d0a80c3571fe39b291ff1d4 Mon Sep 17 00:00:00 2001

From: Prasad J Pandit <pjp@fedoraproject.org>

Date: Mon, 13 Jan 2020 17:44:31 +0530

Subject: [PATCH] slirp: tftp: restrict relative path access

tftp restricts relative or directory path access on Linux systems.

Apply same restrictions on Windows systems too. It helps to avoid

directory traversal issue.

Fixes: https://bugs.launchpad.net/qemu/+bug/1812451

Reported-by: Peter Maydell <peter.maydell@linaro.org>

Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>

Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>

Message-Id: <20200113121431.156708-1-ppandit@redhat.com>

---

 src/tftp.c | 9 +++++++--

 1 file changed, 7 insertions(+), 2 deletions(-)

diff -up slirp4netns-4992082b2af77c09bca6bd8504e2ebfa5e118c18/qemu/slirp/src/tftp.c.CVE-2020-7211 slirp4netns-4992082b2af77c09bca6bd8504e2ebfa5e118c18/qemu/slirp/src/tftp.c

--- slirp4netns-4992082b2af77c09bca6bd8504e2ebfa5e118c18/qemu/slirp/src/tftp.c.CVE-2020-7211	2020-01-17 08:02:02.837544967 +0100

+++ slirp4netns-4992082b2af77c09bca6bd8504e2ebfa5e118c18/qemu/slirp/src/tftp.c	2020-01-17 08:14:59.569544607 +0100

@@ -344,9 +344,13 @@ static void tftp_handle_rrq(Slirp *slirp

   k += 6; /* skipping octet */

   /* do sanity checks on the filename */

-  if (!strncmp(req_fname, "../", 3) ||

-      req_fname[strlen(req_fname) - 1] == '/' ||

-      strstr(req_fname, "/../")) {

+  if (

+#ifdef G_OS_WIN32

+    strstr(req_fname, "..\\") ||

+    req_fname[strlen(req_fname) - 1] == '\\' ||

+#endif

+    strstr(req_fname, "../") ||

+    req_fname[strlen(req_fname) - 1] == '/') {

       tftp_send_error(spt, 2, "Access violation", tp);

       return;

   }