mqueuefs: Do not allow manipulation of the pseudo-dirents "." and ".."

"." and ".." names are not maintained in the mqueuefs dirent datastructure and cannot be opened as mqueues. Creating or removing them is invalid; return EINVAL instead of crashing. PR: 236836 Submitted by: Torbjørn Birch Moltu <t.b.moltu AT lyse.net> Discussed with: jilles (earlier version)
svn path=/head/; revision=348067
2019-05-21 21:26:14 +00:00 · 2019-05-21 21:26:14 +00:00 · 45d314c556 · 2020-12-20 02:59:44 +00:00
commit 45d314c556
parent 35131b4616
1 changed files with 8 additions and 0 deletions
--- a/sys/kern/uipc_mqueue.c
+++ b/sys/kern/uipc_mqueue.c
@ -2042,6 +2042,12 @@ kern_kmq_open(struct thread *td, const char *upath, int flags, mode_t mode,
 	len = strlen(path);
 	if (len < 2 || path[0] != '/' || strchr(path + 1, '/') != NULL)
 		return (EINVAL);
+	/*
+	 * "." and ".." are magic directories, populated on the fly, and cannot
+	 * be opened as queues.
+	 */
+	if (strcmp(path, "/.") == 0 || strcmp(path, "/..") == 0)
+		return (EINVAL);
 	AUDIT_ARG_UPATH1_CANON(path);

 	error = falloc(td, &fp, &fd, O_CLOEXEC);
@ -2142,6 +2148,8 @@ sys_kmq_unlink(struct thread *td, struct kmq_unlink_args *uap)
 	len = strlen(path);
 	if (len < 2 || path[0] != '/' || strchr(path + 1, '/') != NULL)
 		return (EINVAL);
+	if (strcmp(path, "/.") == 0 || strcmp(path, "/..") == 0)
+		return (EINVAL);
 	AUDIT_ARG_UPATH1_CANON(path);

 	sx_xlock(&mqfs_data.mi_lock);