[Slirp] [PATCH] slirp: tftp: restrict relative path access
Philippe Mathieu-Daudé
philmd at redhat.com
Thu Jan 2 11:55:22 UTC 2020
On 1/2/20 10:28 AM, Marc-André Lureau wrote:
> Hi
>
> On Mon, Dec 30, 2019 at 5:00 PM P J P <ppandit at redhat.com> wrote:
>>
>> From: Prasad J Pandit <pjp at fedoraproject.org>
>>
>> tftp restricts relative or directory path access on Linux systems.
>> Apply same restrictions on Windows systems too. It helps to avoid
>> directory traversal issue.
>>
>> Reported-by: Peter Maydell <peter.maydell at linaro.org>
>> Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
>> ---
>> src/tftp.c | 5 +++--
>> 1 file changed, 3 insertions(+), 2 deletions(-)
>>
>> diff --git a/src/tftp.c b/src/tftp.c
>> index 093c2e0..55d9353 100644
>> --- a/src/tftp.c
>> +++ b/src/tftp.c
>> @@ -344,8 +344,9 @@ static void tftp_handle_rrq(Slirp *slirp, struct sockaddr_storage *srcsas,
>> k += 6; /* skipping octet */
>>
>> /* do sanity checks on the filename */
>> - if (!strncmp(req_fname, "../", 3) ||
>> - req_fname[strlen(req_fname) - 1] == '/' || strstr(req_fname, "/../")) {
>> + if (strstr(req_fname, "../") || strstr(req_fname, "..\\")
>> + || req_fname[strlen(req_fname) - 1] == '/'
>> + || req_fname[strlen(req_fname) - 1] == '\\') {
>> tftp_send_error(spt, 2, "Access violation", tp);
>> return;
>> }
>
> Please divide the rule for #ifdef G_OS_WIN32 .. #else ..
I'm confused here, req_fname[] is client-controlled, right?
I'm seeing it filled in tftp_input():
struct tftp_t *tp = (struct tftp_t *)m->m_data;
So the path separator used differs from the client, not the server...
Does it makes sense to handle this differently regarding the server OS?
> You changed the existing rule, and it seems to break some valid cases
> ex: /foo/bar/../blah
>
> This traversal problem is so common, I wonder if there are known good
> practices...
>
>> --
>> 2.24.1
>>
>> _______________________________________________
>> Slirp mailing list
>> Slirp at lists.freedesktop.org
>> https://lists.freedesktop.org/mailman/listinfo/slirp
>
>
>
More information about the Slirp
mailing list