| From 14ec36e107a8c9af7d0a80c3571fe39b291ff1d4 Mon Sep 17 00:00:00 2001 |
| From: Prasad J Pandit <pjp@fedoraproject.org> |
| Date: Mon, 13 Jan 2020 17:44:31 +0530 |
| Subject: [PATCH] slirp: tftp: restrict relative path access |
| |
| tftp restricts relative or directory path access on Linux systems. |
| Apply same restrictions on Windows systems too. It helps to avoid |
| directory traversal issue. |
| |
| Fixes: https://bugs.launchpad.net/qemu/+bug/1812451 |
| Reported-by: Peter Maydell <peter.maydell@linaro.org> |
| Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> |
| Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org> |
| Message-Id: <20200113121431.156708-1-ppandit@redhat.com> |
| |
| Upstream-Status: Backport [https://gitlab.freedesktop.org/slirp/libslirp/-/commit/14ec36e107a8c9af7d0a80c3571fe39b291ff1d4.patch] |
| CVE: CVE-2020-7211 |
| Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> |
| |
| --- |
| slirp/src/tftp.c | 9 +++++++-- |
| 1 file changed, 7 insertions(+), 2 deletions(-) |
| |
| diff --git a/slirp/src/tftp.c b/slirp/src/tftp.c |
| index 093c2e0..e52e71b 100644 |
| --- a/slirp/src/tftp.c |
| +++ b/slirp/src/tftp.c |
| @@ -344,8 +344,13 @@ static void tftp_handle_rrq(Slirp *slirp, struct sockaddr_storage *srcsas, |
| k += 6; /* skipping octet */ |
| |
| /* do sanity checks on the filename */ |
| - if (!strncmp(req_fname, "../", 3) || |
| - req_fname[strlen(req_fname) - 1] == '/' || strstr(req_fname, "/../")) { |
| + if ( |
| +#ifdef G_OS_WIN32 |
| + strstr(req_fname, "..\\") || |
| + req_fname[strlen(req_fname) - 1] == '\\' || |
| +#endif |
| + strstr(req_fname, "../") || |
| + req_fname[strlen(req_fname) - 1] == '/') { |
| tftp_send_error(spt, 2, "Access violation", tp); |
| return; |
| } |
| -- |
| 2.24.1 |
| |