VirtualBox

Changeset 76775 in vbox for trunk/src/VBox


Ignore:
Timestamp:
Jan 11, 2019 1:06:44 PM (6 years ago)
Author:
vboxsync
Message:

NAT/tftp: (bugref:9350) Do not allow access to paths not starting with tftp_prefix.

Location:
trunk/src/VBox/Devices/Network/slirp
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/VBox/Devices/Network/slirp/slirp.c

    r76553 r76775  
    5252#include <iprt/assert.h>
    5353#include <iprt/file.h>
     54#include <iprt/path.h>
    5455#ifndef RT_OS_WINDOWS
    5556# include <sys/ioctl.h>
     
    579580    WSACleanup();
    580581#endif
     582    if (tftp_prefix)
     583        RTStrFree((char *)tftp_prefix);
    581584#ifdef LOG_ENABLED
    582585    Log(("\n"
     
    16641667{
    16651668    Log2(("tftp_prefix: %s\n", tftpPrefix));
    1666     tftp_prefix = tftpPrefix;
     1669    if (tftp_prefix)
     1670        RTStrFree((char *)tftp_prefix);
     1671    tftp_prefix = RTPathAbsDup(tftpPrefix);
    16671672}
    16681673
  • trunk/src/VBox/Devices/Network/slirp/tftp.c

    r76553 r76775  
    4646#include <iprt/file.h>
    4747#include <iprt/err.h>
     48#include <iprt/path.h>
    4849
    4950typedef enum ENMTFTPSESSIONFMT
     
    133134DECLINLINE(int) tftpSecurityFilenameCheck(PNATState pData, PCTFTPSESSION pcTftpSession)
    134135{
    135     size_t cbSessionFilename = 0;
    136136    int rc = VINF_SUCCESS;
    137137    AssertPtrReturn(pcTftpSession, VERR_INVALID_PARAMETER);
    138     cbSessionFilename = RTStrNLen((const char *)pcTftpSession->pszFilename, TFTP_FILENAME_MAX);
    139     if (   !RTStrNCmp((const char*)pcTftpSession->pszFilename, "../", 3)
    140         || (pcTftpSession->pszFilename[cbSessionFilename - 1] == '/')
    141         ||  RTStrStr((const char *)pcTftpSession->pszFilename, "/../"))
    142         rc = VERR_FILE_NOT_FOUND;
    143138
    144139    /* only allow exported prefixes */
    145     if (   RT_SUCCESS(rc)
    146         && !tftp_prefix)
     140    if (!tftp_prefix)
    147141        rc = VERR_INTERNAL_ERROR;
     142    else
     143    {
     144        char *pszFullPathAbs = RTPathAbsExDup(tftp_prefix, (const char*)pcTftpSession->pszFilename);
     145
     146        if (   !pszFullPathAbs
     147            || !RTPathStartsWith(pszFullPathAbs, tftp_prefix))
     148            rc = VERR_FILE_NOT_FOUND;
     149
     150        RTStrFree(pszFullPathAbs);
     151    }
    148152    LogFlowFuncLeaveRC(rc);
    149153    return rc;
Note: See TracChangeset for help on using the changeset viewer.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette