diff options
author | des <des@FreeBSD.org> | 2014-11-04 23:29:57 +0000 |
---|---|---|
committer | des <des@FreeBSD.org> | 2014-11-04 23:29:57 +0000 |
commit | 39bef156480aa8cce94125589bb5778c82e062be (patch) | |
tree | 9c2cbda3a3f4a6042a08bf2fa907f8cdfc614d84 | |
parent | 94b1b738687b766f5bec09130331c42d0f5e0655 (diff) | |
download | FreeBSD-src-39bef156480aa8cce94125589bb5778c82e062be.zip FreeBSD-src-39bef156480aa8cce94125589bb5778c82e062be.tar.gz |
[SA-14:25] Fix kernel stack disclosure in setlogin(2) / getlogin(2).
[SA-14:26] Fix remote command execution in ftp(1).
Approved by: so (des)
-rw-r--r-- | contrib/tnftp/src/fetch.c | 36 | ||||
-rw-r--r-- | sys/kern/kern_prot.c | 31 |
2 files changed, 38 insertions, 29 deletions
diff --git a/contrib/tnftp/src/fetch.c b/contrib/tnftp/src/fetch.c index 91b49fd..72153a5 100644 --- a/contrib/tnftp/src/fetch.c +++ b/contrib/tnftp/src/fetch.c @@ -547,7 +547,7 @@ fetch_url(const char *url, const char *proxyenv, char *proxyauth, char *wwwauth) url_decode(decodedpath); if (outfile) - savefile = ftp_strdup(outfile); + savefile = outfile; else { cp = strrchr(decodedpath, '/'); /* find savefile */ if (cp != NULL) @@ -571,8 +571,7 @@ fetch_url(const char *url, const char *proxyenv, char *proxyauth, char *wwwauth) rangestart = rangeend = entitylen = -1; mtime = -1; if (restartautofetch) { - if (strcmp(savefile, "-") != 0 && *savefile != '|' && - stat(savefile, &sb) == 0) + if (stat(savefile, &sb) == 0) restart_point = sb.st_size; } if (urltype == FILE_URL_T) { /* file:// URLs */ @@ -1098,17 +1097,25 @@ fetch_url(const char *url, const char *proxyenv, char *proxyauth, char *wwwauth) } /* end of ftp:// or http:// specific setup */ /* Open the output file. */ - if (strcmp(savefile, "-") == 0) { - fout = stdout; - } else if (*savefile == '|') { - oldintp = xsignal(SIGPIPE, SIG_IGN); - fout = popen(savefile + 1, "w"); - if (fout == NULL) { - warn("Can't execute `%s'", savefile + 1); - goto cleanup_fetch_url; + + /* + * Only trust filenames with special meaning if they came from + * the command line + */ + if (outfile == savefile) { + if (strcmp(savefile, "-") == 0) { + fout = stdout; + } else if (*savefile == '|') { + oldintp = xsignal(SIGPIPE, SIG_IGN); + fout = popen(savefile + 1, "w"); + if (fout == NULL) { + warn("Can't execute `%s'", savefile + 1); + goto cleanup_fetch_url; + } + closefunc = pclose; } - closefunc = pclose; - } else { + } + if (fout == NULL) { if ((rangeend != -1 && rangeend <= restart_point) || (rangestart == -1 && filesize != -1 && filesize <= restart_point)) { /* already done */ @@ -1318,7 +1325,8 @@ fetch_url(const char *url, const char *proxyenv, char *proxyauth, char *wwwauth) (*closefunc)(fout); if (res0) freeaddrinfo(res0); - FREEPTR(savefile); + if (savefile != outfile) + FREEPTR(savefile); FREEPTR(uuser); if (pass != NULL) memset(pass, 0, strlen(pass)); diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c index f99e053..9f7325c0 100644 --- a/sys/kern/kern_prot.c +++ b/sys/kern/kern_prot.c @@ -2073,21 +2073,20 @@ struct getlogin_args { int sys_getlogin(struct thread *td, struct getlogin_args *uap) { - int error; char login[MAXLOGNAME]; struct proc *p = td->td_proc; + size_t len; if (uap->namelen > MAXLOGNAME) uap->namelen = MAXLOGNAME; PROC_LOCK(p); SESS_LOCK(p->p_session); - bcopy(p->p_session->s_login, login, uap->namelen); + len = strlcpy(login, p->p_session->s_login, uap->namelen) + 1; SESS_UNLOCK(p->p_session); PROC_UNLOCK(p); - if (strlen(login) + 1 > uap->namelen) + if (len > uap->namelen) return (ERANGE); - error = copyout(login, uap->namebuf, uap->namelen); - return (error); + return (copyout(login, uap->namebuf, len)); } /* @@ -2106,21 +2105,23 @@ sys_setlogin(struct thread *td, struct setlogin_args *uap) int error; char logintmp[MAXLOGNAME]; + CTASSERT(sizeof(p->p_session->s_login) >= sizeof(logintmp)); + error = priv_check(td, PRIV_PROC_SETLOGIN); if (error) return (error); error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL); - if (error == ENAMETOOLONG) - error = EINVAL; - else if (!error) { - PROC_LOCK(p); - SESS_LOCK(p->p_session); - (void) memcpy(p->p_session->s_login, logintmp, - sizeof(logintmp)); - SESS_UNLOCK(p->p_session); - PROC_UNLOCK(p); + if (error != 0) { + if (error == ENAMETOOLONG) + error = EINVAL; + return (error); } - return (error); + PROC_LOCK(p); + SESS_LOCK(p->p_session); + strcpy(p->p_session->s_login, logintmp); + SESS_UNLOCK(p->p_session); + PROC_UNLOCK(p); + return (0); } void |