[Slirp] [PATCH v2] slirp: tftp: restrict relative path access
P J P
ppandit at redhat.com
Thu Jan 9 09:46:09 UTC 2020
+-- On Mon, 6 Jan 2020, P J P wrote --+
| memcpy(spt->filename, slirp->tftp_prefix, prefix_len);
| spt->filename[prefix_len] = '/';
| req_fname = spt->filename + prefix_len + 1;
|
| Separator added after tftp_prefix is '/', not '\\'. And tftp_read_data()
| opens the file as
|
| spt->fd = open(spt->filename, O_RDONLY | O_BINARY);
|
| "tftp_prefix/my_directory\\my_library\\my_file.txt"
|
| Likely open(2) would return an error for path like above?
|
| Considering 'tftp_prefix' and 'req_fname' are separated by forward slash
| ('/'), [how] does it support WIN32 tftp server?
|
| @Samuel ...?
Ping...!
--
Prasad J Pandit / Red Hat Product Security Team
8685 545E B54C 486B C6EB 271E E285 8B5A F050 DE8D
More information about the Slirp
mailing list