1085 lines
26 KiB
C
Raw Normal View History

1994-05-27 05:00:24 +00:00
/*
* Copyright (c) 1989, 1993
* The Regents of the University of California. All rights reserved.
*
* This code is derived from software contributed to Berkeley by
* Guido van Rossum.
*
* Copyright (c) 2011 The FreeBSD Foundation
* All rights reserved.
* Portions of this software were developed by David Chisnall
* under sponsorship from the FreeBSD Foundation.
*
1994-05-27 05:00:24 +00:00
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 4. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#if defined(LIBC_SCCS) && !defined(lint)
static char sccsid[] = "@(#)glob.c 8.3 (Berkeley) 10/13/93";
#endif /* LIBC_SCCS and not lint */
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
1994-05-27 05:00:24 +00:00
/*
* glob(3) -- a superset of the one defined in POSIX 1003.2.
*
* The [!...] convention to negate a range is supported (SysV, Posix, ksh).
*
* Optional extra services, controlled by flags not defined by POSIX:
*
* GLOB_QUOTE:
* Escaping convention: \ inhibits any special meaning the following
* character might have (except \ at end of string is retained).
* GLOB_MAGCHAR:
* Set in gl_flags if pattern contained a globbing character.
* GLOB_NOMAGIC:
* Same as GLOB_NOCHECK, but it will only append pattern if it did
* not contain any magic characters. [Used in csh style globbing]
* GLOB_ALTDIRFUNC:
* Use alternately specified directory access functions.
* GLOB_TILDE:
* expand ~user/foo to the /home/dir/of/user/foo
* GLOB_BRACE:
1995-05-30 05:51:47 +00:00
* expand {1,2}{a,b} to 1a 1b 2a 2b
1994-05-27 05:00:24 +00:00
* gl_matchc:
* Number of matches in the current invocation of glob.
*/
2004-07-29 03:48:52 +00:00
/*
* Some notes on multibyte character support:
* 1. Patterns with illegal byte sequences match nothing - even if
* GLOB_NOCHECK is specified.
* 2. Illegal byte sequences in filenames are handled by treating them as
* single-byte characters with a values of such bytes of the sequence
2004-07-29 03:48:52 +00:00
* cast to wchar_t.
* 3. State-dependent encodings are not currently supported.
*/
1994-05-27 05:00:24 +00:00
#include <sys/param.h>
#include <sys/stat.h>
#include <ctype.h>
#include <dirent.h>
#include <errno.h>
#include <glob.h>
2004-07-29 03:48:52 +00:00
#include <limits.h>
1994-05-27 05:00:24 +00:00
#include <pwd.h>
2004-07-29 03:48:52 +00:00
#include <stdint.h>
1994-05-27 05:00:24 +00:00
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
2004-07-29 03:48:52 +00:00
#include <wchar.h>
1994-05-27 05:00:24 +00:00
#include "collate.h"
Protect against DoS attacks, such as being described in CVE-2010-2632. The changes were derived from what has been committed to NetBSD, with modifications. These are: 1. Preserve the existsing GLOB_LIMIT behaviour by including the number of matches to the set of parameters to limit. 2. Change some of the limits to avoid impacting normal use cases: GLOB_LIMIT_STRING - change from 65536 to ARG_MAX so that glob(3) can still provide a full command line of expanded names. GLOB_LIMIT_STAT - change from 128 to 1024 for no other reason than that 128 feels too low (it's not a limit that impacts the behaviour of the test program listed in CVE-2010-2632). GLOB_LIMIT_PATH - change from 1024 to 65536 so that glob(3) can still provide a fill command line of expanded names. 3. Protect against buffer overruns when we hit the GLOB_LIMIT_STAT or GLOB_LIMIT_READDIR limits. We append SEP and EOS to pathend in those cases. Return GLOB_ABORTED instead of GLOB_NOSPACE when we would otherwise overrun the buffer. This change also modifies the existing behaviour of glob(3) in case GLOB_LIMIT is specifies by limiting the *new* matches and not all matches. This is an important distinction when GLOB_APPEND is set or when the caller uses a non-zero gl_offs. Previously pre-existing matches or the value of gl_offs would be counted in the number of matches even though the man page states that glob(3) would return GLOB_NOSPACE when gl_matchc or more matches were found. The limits that cannot be circumvented are GLOB_LIMIT_STRING and GLOB_LIMIT_PATH all others can be crossed by simply calling glob(3) again and with GLOB_APPEND set. The entire description above applies only when GLOB_LIMIT has been specified of course. No limits apply when this flag isn't set! Obtained from: Juniper Networks, Inc
2012-12-01 21:26:46 +00:00
/*
* glob(3) expansion limits. Stop the expansion if any of these limits
* is reached. This caps the runtime in the face of DoS attacks. See
* also CVE-2010-2632
*/
#define GLOB_LIMIT_BRACE 128 /* number of brace calls */
#define GLOB_LIMIT_PATH 65536 /* number of path elements */
#define GLOB_LIMIT_READDIR 16384 /* number of readdirs */
#define GLOB_LIMIT_STAT 1024 /* number of stat system calls */
#define GLOB_LIMIT_STRING ARG_MAX /* maximum total size for paths */
struct glob_limit {
size_t l_brace_cnt;
size_t l_path_lim;
size_t l_readdir_cnt;
size_t l_stat_cnt;
size_t l_string_cnt;
};
#define DOT L'.'
#define EOS L'\0'
#define LBRACKET L'['
#define NOT L'!'
#define QUESTION L'?'
#define QUOTE L'\\'
#define RANGE L'-'
#define RBRACKET L']'
#define SEP L'/'
#define STAR L'*'
#define TILDE L'~'
#define LBRACE L'{'
#define RBRACE L'}'
#define COMMA L','
1994-05-27 05:00:24 +00:00
2004-07-29 03:48:52 +00:00
#define M_QUOTE 0x8000000000ULL
#define M_PROTECT 0x4000000000ULL
#define M_MASK 0xffffffffffULL
#define M_CHAR 0x00ffffffffULL
1994-05-27 05:00:24 +00:00
2004-07-29 03:48:52 +00:00
typedef uint_fast64_t Char;
1994-05-27 05:00:24 +00:00
2004-07-29 03:48:52 +00:00
#define CHAR(c) ((Char)((c)&M_CHAR))
1994-05-27 05:00:24 +00:00
#define META(c) ((Char)((c)|M_QUOTE))
#define UNPROT(c) ((c) & ~M_PROTECT)
#define M_ALL META(L'*')
#define M_END META(L']')
#define M_NOT META(L'!')
#define M_ONE META(L'?')
#define M_RNG META(L'-')
#define M_SET META(L'[')
1994-05-27 05:00:24 +00:00
#define ismeta(c) (((c)&M_QUOTE) != 0)
#ifdef DEBUG
#define isprot(c) (((c)&M_PROTECT) != 0)
#endif
1994-05-27 05:00:24 +00:00
static int compare(const void *, const void *);
static int g_Ctoc(const Char *, char *, size_t);
static int g_lstat(Char *, struct stat *, glob_t *);
static DIR *g_opendir(Char *, glob_t *);
static const Char *g_strchr(const Char *, wchar_t);
1994-05-27 05:00:24 +00:00
#ifdef notdef
static Char *g_strcat(Char *, const Char *);
1994-05-27 05:00:24 +00:00
#endif
static int g_stat(Char *, struct stat *, glob_t *);
static int glob0(const Char *, glob_t *, struct glob_limit *,
const char *);
Protect against DoS attacks, such as being described in CVE-2010-2632. The changes were derived from what has been committed to NetBSD, with modifications. These are: 1. Preserve the existsing GLOB_LIMIT behaviour by including the number of matches to the set of parameters to limit. 2. Change some of the limits to avoid impacting normal use cases: GLOB_LIMIT_STRING - change from 65536 to ARG_MAX so that glob(3) can still provide a full command line of expanded names. GLOB_LIMIT_STAT - change from 128 to 1024 for no other reason than that 128 feels too low (it's not a limit that impacts the behaviour of the test program listed in CVE-2010-2632). GLOB_LIMIT_PATH - change from 1024 to 65536 so that glob(3) can still provide a fill command line of expanded names. 3. Protect against buffer overruns when we hit the GLOB_LIMIT_STAT or GLOB_LIMIT_READDIR limits. We append SEP and EOS to pathend in those cases. Return GLOB_ABORTED instead of GLOB_NOSPACE when we would otherwise overrun the buffer. This change also modifies the existing behaviour of glob(3) in case GLOB_LIMIT is specifies by limiting the *new* matches and not all matches. This is an important distinction when GLOB_APPEND is set or when the caller uses a non-zero gl_offs. Previously pre-existing matches or the value of gl_offs would be counted in the number of matches even though the man page states that glob(3) would return GLOB_NOSPACE when gl_matchc or more matches were found. The limits that cannot be circumvented are GLOB_LIMIT_STRING and GLOB_LIMIT_PATH all others can be crossed by simply calling glob(3) again and with GLOB_APPEND set. The entire description above applies only when GLOB_LIMIT has been specified of course. No limits apply when this flag isn't set! Obtained from: Juniper Networks, Inc
2012-12-01 21:26:46 +00:00
static int glob1(Char *, glob_t *, struct glob_limit *);
static int glob2(Char *, Char *, Char *, Char *, glob_t *,
struct glob_limit *);
static int glob3(Char *, Char *, Char *, Char *, Char *, glob_t *,
struct glob_limit *);
static int globextend(const Char *, glob_t *, struct glob_limit *,
const char *);
Protect against DoS attacks, such as being described in CVE-2010-2632. The changes were derived from what has been committed to NetBSD, with modifications. These are: 1. Preserve the existsing GLOB_LIMIT behaviour by including the number of matches to the set of parameters to limit. 2. Change some of the limits to avoid impacting normal use cases: GLOB_LIMIT_STRING - change from 65536 to ARG_MAX so that glob(3) can still provide a full command line of expanded names. GLOB_LIMIT_STAT - change from 128 to 1024 for no other reason than that 128 feels too low (it's not a limit that impacts the behaviour of the test program listed in CVE-2010-2632). GLOB_LIMIT_PATH - change from 1024 to 65536 so that glob(3) can still provide a fill command line of expanded names. 3. Protect against buffer overruns when we hit the GLOB_LIMIT_STAT or GLOB_LIMIT_READDIR limits. We append SEP and EOS to pathend in those cases. Return GLOB_ABORTED instead of GLOB_NOSPACE when we would otherwise overrun the buffer. This change also modifies the existing behaviour of glob(3) in case GLOB_LIMIT is specifies by limiting the *new* matches and not all matches. This is an important distinction when GLOB_APPEND is set or when the caller uses a non-zero gl_offs. Previously pre-existing matches or the value of gl_offs would be counted in the number of matches even though the man page states that glob(3) would return GLOB_NOSPACE when gl_matchc or more matches were found. The limits that cannot be circumvented are GLOB_LIMIT_STRING and GLOB_LIMIT_PATH all others can be crossed by simply calling glob(3) again and with GLOB_APPEND set. The entire description above applies only when GLOB_LIMIT has been specified of course. No limits apply when this flag isn't set! Obtained from: Juniper Networks, Inc
2012-12-01 21:26:46 +00:00
static const Char *
globtilde(const Char *, Char *, size_t, glob_t *);
static int globexp0(const Char *, glob_t *, struct glob_limit *,
const char *);
Protect against DoS attacks, such as being described in CVE-2010-2632. The changes were derived from what has been committed to NetBSD, with modifications. These are: 1. Preserve the existsing GLOB_LIMIT behaviour by including the number of matches to the set of parameters to limit. 2. Change some of the limits to avoid impacting normal use cases: GLOB_LIMIT_STRING - change from 65536 to ARG_MAX so that glob(3) can still provide a full command line of expanded names. GLOB_LIMIT_STAT - change from 128 to 1024 for no other reason than that 128 feels too low (it's not a limit that impacts the behaviour of the test program listed in CVE-2010-2632). GLOB_LIMIT_PATH - change from 1024 to 65536 so that glob(3) can still provide a fill command line of expanded names. 3. Protect against buffer overruns when we hit the GLOB_LIMIT_STAT or GLOB_LIMIT_READDIR limits. We append SEP and EOS to pathend in those cases. Return GLOB_ABORTED instead of GLOB_NOSPACE when we would otherwise overrun the buffer. This change also modifies the existing behaviour of glob(3) in case GLOB_LIMIT is specifies by limiting the *new* matches and not all matches. This is an important distinction when GLOB_APPEND is set or when the caller uses a non-zero gl_offs. Previously pre-existing matches or the value of gl_offs would be counted in the number of matches even though the man page states that glob(3) would return GLOB_NOSPACE when gl_matchc or more matches were found. The limits that cannot be circumvented are GLOB_LIMIT_STRING and GLOB_LIMIT_PATH all others can be crossed by simply calling glob(3) again and with GLOB_APPEND set. The entire description above applies only when GLOB_LIMIT has been specified of course. No limits apply when this flag isn't set! Obtained from: Juniper Networks, Inc
2012-12-01 21:26:46 +00:00
static int globexp1(const Char *, glob_t *, struct glob_limit *);
static int globexp2(const Char *, const Char *, glob_t *,
Protect against DoS attacks, such as being described in CVE-2010-2632. The changes were derived from what has been committed to NetBSD, with modifications. These are: 1. Preserve the existsing GLOB_LIMIT behaviour by including the number of matches to the set of parameters to limit. 2. Change some of the limits to avoid impacting normal use cases: GLOB_LIMIT_STRING - change from 65536 to ARG_MAX so that glob(3) can still provide a full command line of expanded names. GLOB_LIMIT_STAT - change from 128 to 1024 for no other reason than that 128 feels too low (it's not a limit that impacts the behaviour of the test program listed in CVE-2010-2632). GLOB_LIMIT_PATH - change from 1024 to 65536 so that glob(3) can still provide a fill command line of expanded names. 3. Protect against buffer overruns when we hit the GLOB_LIMIT_STAT or GLOB_LIMIT_READDIR limits. We append SEP and EOS to pathend in those cases. Return GLOB_ABORTED instead of GLOB_NOSPACE when we would otherwise overrun the buffer. This change also modifies the existing behaviour of glob(3) in case GLOB_LIMIT is specifies by limiting the *new* matches and not all matches. This is an important distinction when GLOB_APPEND is set or when the caller uses a non-zero gl_offs. Previously pre-existing matches or the value of gl_offs would be counted in the number of matches even though the man page states that glob(3) would return GLOB_NOSPACE when gl_matchc or more matches were found. The limits that cannot be circumvented are GLOB_LIMIT_STRING and GLOB_LIMIT_PATH all others can be crossed by simply calling glob(3) again and with GLOB_APPEND set. The entire description above applies only when GLOB_LIMIT has been specified of course. No limits apply when this flag isn't set! Obtained from: Juniper Networks, Inc
2012-12-01 21:26:46 +00:00
struct glob_limit *);
static int globfinal(glob_t *, struct glob_limit *, size_t,
const char *);
static int match(Char *, Char *, Char *);
1994-05-27 05:00:24 +00:00
#ifdef DEBUG
static void qprintf(const char *, Char *);
1994-05-27 05:00:24 +00:00
#endif
int
glob(const char * __restrict pattern, int flags,
int (*errfunc)(const char *, int), glob_t * __restrict pglob)
1994-05-27 05:00:24 +00:00
{
Protect against DoS attacks, such as being described in CVE-2010-2632. The changes were derived from what has been committed to NetBSD, with modifications. These are: 1. Preserve the existsing GLOB_LIMIT behaviour by including the number of matches to the set of parameters to limit. 2. Change some of the limits to avoid impacting normal use cases: GLOB_LIMIT_STRING - change from 65536 to ARG_MAX so that glob(3) can still provide a full command line of expanded names. GLOB_LIMIT_STAT - change from 128 to 1024 for no other reason than that 128 feels too low (it's not a limit that impacts the behaviour of the test program listed in CVE-2010-2632). GLOB_LIMIT_PATH - change from 1024 to 65536 so that glob(3) can still provide a fill command line of expanded names. 3. Protect against buffer overruns when we hit the GLOB_LIMIT_STAT or GLOB_LIMIT_READDIR limits. We append SEP and EOS to pathend in those cases. Return GLOB_ABORTED instead of GLOB_NOSPACE when we would otherwise overrun the buffer. This change also modifies the existing behaviour of glob(3) in case GLOB_LIMIT is specifies by limiting the *new* matches and not all matches. This is an important distinction when GLOB_APPEND is set or when the caller uses a non-zero gl_offs. Previously pre-existing matches or the value of gl_offs would be counted in the number of matches even though the man page states that glob(3) would return GLOB_NOSPACE when gl_matchc or more matches were found. The limits that cannot be circumvented are GLOB_LIMIT_STRING and GLOB_LIMIT_PATH all others can be crossed by simply calling glob(3) again and with GLOB_APPEND set. The entire description above applies only when GLOB_LIMIT has been specified of course. No limits apply when this flag isn't set! Obtained from: Juniper Networks, Inc
2012-12-01 21:26:46 +00:00
struct glob_limit limit = { 0, 0, 0, 0, 0 };
const char *patnext;
2004-07-29 03:48:52 +00:00
Char *bufnext, *bufend, patbuf[MAXPATHLEN], prot;
mbstate_t mbs;
wchar_t wc;
size_t clen;
int too_long;
1994-05-27 05:00:24 +00:00
patnext = pattern;
1994-05-27 05:00:24 +00:00
if (!(flags & GLOB_APPEND)) {
pglob->gl_pathc = 0;
pglob->gl_pathv = NULL;
if (!(flags & GLOB_DOOFFS))
pglob->gl_offs = 0;
}
if (flags & GLOB_LIMIT) {
Protect against DoS attacks, such as being described in CVE-2010-2632. The changes were derived from what has been committed to NetBSD, with modifications. These are: 1. Preserve the existsing GLOB_LIMIT behaviour by including the number of matches to the set of parameters to limit. 2. Change some of the limits to avoid impacting normal use cases: GLOB_LIMIT_STRING - change from 65536 to ARG_MAX so that glob(3) can still provide a full command line of expanded names. GLOB_LIMIT_STAT - change from 128 to 1024 for no other reason than that 128 feels too low (it's not a limit that impacts the behaviour of the test program listed in CVE-2010-2632). GLOB_LIMIT_PATH - change from 1024 to 65536 so that glob(3) can still provide a fill command line of expanded names. 3. Protect against buffer overruns when we hit the GLOB_LIMIT_STAT or GLOB_LIMIT_READDIR limits. We append SEP and EOS to pathend in those cases. Return GLOB_ABORTED instead of GLOB_NOSPACE when we would otherwise overrun the buffer. This change also modifies the existing behaviour of glob(3) in case GLOB_LIMIT is specifies by limiting the *new* matches and not all matches. This is an important distinction when GLOB_APPEND is set or when the caller uses a non-zero gl_offs. Previously pre-existing matches or the value of gl_offs would be counted in the number of matches even though the man page states that glob(3) would return GLOB_NOSPACE when gl_matchc or more matches were found. The limits that cannot be circumvented are GLOB_LIMIT_STRING and GLOB_LIMIT_PATH all others can be crossed by simply calling glob(3) again and with GLOB_APPEND set. The entire description above applies only when GLOB_LIMIT has been specified of course. No limits apply when this flag isn't set! Obtained from: Juniper Networks, Inc
2012-12-01 21:26:46 +00:00
limit.l_path_lim = pglob->gl_matchc;
if (limit.l_path_lim == 0)
limit.l_path_lim = GLOB_LIMIT_PATH;
}
1994-05-27 05:00:24 +00:00
pglob->gl_flags = flags & ~GLOB_MAGCHAR;
pglob->gl_errfunc = errfunc;
pglob->gl_matchc = 0;
bufnext = patbuf;
bufend = bufnext + MAXPATHLEN - 1;
too_long = 1;
2004-07-29 03:48:52 +00:00
if (flags & GLOB_NOESCAPE) {
memset(&mbs, 0, sizeof(mbs));
while (bufnext <= bufend) {
2004-07-29 03:48:52 +00:00
clen = mbrtowc(&wc, patnext, MB_LEN_MAX, &mbs);
if (clen == (size_t)-1 || clen == (size_t)-2)
return (globfinal(pglob, &limit,
pglob->gl_pathc, pattern));
else if (clen == 0) {
too_long = 0;
2004-07-29 03:48:52 +00:00
break;
}
2004-07-29 03:48:52 +00:00
*bufnext++ = wc;
patnext += clen;
}
} else {
1994-05-27 05:00:24 +00:00
/* Protect the quoted characters. */
2004-07-29 03:48:52 +00:00
memset(&mbs, 0, sizeof(mbs));
while (bufnext <= bufend) {
if (*patnext == '\\') {
if (*++patnext == '\0') {
*bufnext++ = QUOTE;
2004-07-29 03:48:52 +00:00
continue;
1994-05-27 05:00:24 +00:00
}
2004-07-29 03:48:52 +00:00
prot = M_PROTECT;
} else
prot = 0;
clen = mbrtowc(&wc, patnext, MB_LEN_MAX, &mbs);
if (clen == (size_t)-1 || clen == (size_t)-2)
return (globfinal(pglob, &limit,
pglob->gl_pathc, pattern));
else if (clen == 0) {
too_long = 0;
2004-07-29 03:48:52 +00:00
break;
}
*bufnext++ = wc | prot;
2004-07-29 03:48:52 +00:00
patnext += clen;
}
1994-05-27 05:00:24 +00:00
}
if (too_long)
return (globfinal(pglob, &limit, pglob->gl_pathc, pattern));
1994-05-27 05:00:24 +00:00
*bufnext = EOS;
if (flags & GLOB_BRACE)
return (globexp0(patbuf, pglob, &limit, pattern));
1994-05-27 05:00:24 +00:00
else
return (glob0(patbuf, pglob, &limit, pattern));
}
static int
globexp0(const Char *pattern, glob_t *pglob, struct glob_limit *limit,
const char *origpat) {
int rv;
size_t oldpathc;
/* Protect a single {}, for find(1), like csh */
if (pattern[0] == LBRACE && pattern[1] == RBRACE && pattern[2] == EOS) {
if ((pglob->gl_flags & GLOB_LIMIT) &&
limit->l_brace_cnt++ >= GLOB_LIMIT_BRACE) {
errno = 0;
return (GLOB_NOSPACE);
}
return (glob0(pattern, pglob, limit, origpat));
}
oldpathc = pglob->gl_pathc;
if ((rv = globexp1(pattern, pglob, limit)) != 0)
return rv;
return (globfinal(pglob, limit, oldpathc, origpat));
1994-05-27 05:00:24 +00:00
}
/*
* Expand recursively a glob {} pattern. When there is no more expansion
* invoke the standard globbing routine to glob the rest of the magic
* characters
*/
static int
Protect against DoS attacks, such as being described in CVE-2010-2632. The changes were derived from what has been committed to NetBSD, with modifications. These are: 1. Preserve the existsing GLOB_LIMIT behaviour by including the number of matches to the set of parameters to limit. 2. Change some of the limits to avoid impacting normal use cases: GLOB_LIMIT_STRING - change from 65536 to ARG_MAX so that glob(3) can still provide a full command line of expanded names. GLOB_LIMIT_STAT - change from 128 to 1024 for no other reason than that 128 feels too low (it's not a limit that impacts the behaviour of the test program listed in CVE-2010-2632). GLOB_LIMIT_PATH - change from 1024 to 65536 so that glob(3) can still provide a fill command line of expanded names. 3. Protect against buffer overruns when we hit the GLOB_LIMIT_STAT or GLOB_LIMIT_READDIR limits. We append SEP and EOS to pathend in those cases. Return GLOB_ABORTED instead of GLOB_NOSPACE when we would otherwise overrun the buffer. This change also modifies the existing behaviour of glob(3) in case GLOB_LIMIT is specifies by limiting the *new* matches and not all matches. This is an important distinction when GLOB_APPEND is set or when the caller uses a non-zero gl_offs. Previously pre-existing matches or the value of gl_offs would be counted in the number of matches even though the man page states that glob(3) would return GLOB_NOSPACE when gl_matchc or more matches were found. The limits that cannot be circumvented are GLOB_LIMIT_STRING and GLOB_LIMIT_PATH all others can be crossed by simply calling glob(3) again and with GLOB_APPEND set. The entire description above applies only when GLOB_LIMIT has been specified of course. No limits apply when this flag isn't set! Obtained from: Juniper Networks, Inc
2012-12-01 21:26:46 +00:00
globexp1(const Char *pattern, glob_t *pglob, struct glob_limit *limit)
1994-05-27 05:00:24 +00:00
{
const Char* ptr;
1994-05-27 05:00:24 +00:00
if ((ptr = g_strchr(pattern, LBRACE)) != NULL) {
if ((pglob->gl_flags & GLOB_LIMIT) &&
limit->l_brace_cnt++ >= GLOB_LIMIT_BRACE) {
errno = 0;
return (GLOB_NOSPACE);
}
return (globexp2(ptr, pattern, pglob, limit));
Protect against DoS attacks, such as being described in CVE-2010-2632. The changes were derived from what has been committed to NetBSD, with modifications. These are: 1. Preserve the existsing GLOB_LIMIT behaviour by including the number of matches to the set of parameters to limit. 2. Change some of the limits to avoid impacting normal use cases: GLOB_LIMIT_STRING - change from 65536 to ARG_MAX so that glob(3) can still provide a full command line of expanded names. GLOB_LIMIT_STAT - change from 128 to 1024 for no other reason than that 128 feels too low (it's not a limit that impacts the behaviour of the test program listed in CVE-2010-2632). GLOB_LIMIT_PATH - change from 1024 to 65536 so that glob(3) can still provide a fill command line of expanded names. 3. Protect against buffer overruns when we hit the GLOB_LIMIT_STAT or GLOB_LIMIT_READDIR limits. We append SEP and EOS to pathend in those cases. Return GLOB_ABORTED instead of GLOB_NOSPACE when we would otherwise overrun the buffer. This change also modifies the existing behaviour of glob(3) in case GLOB_LIMIT is specifies by limiting the *new* matches and not all matches. This is an important distinction when GLOB_APPEND is set or when the caller uses a non-zero gl_offs. Previously pre-existing matches or the value of gl_offs would be counted in the number of matches even though the man page states that glob(3) would return GLOB_NOSPACE when gl_matchc or more matches were found. The limits that cannot be circumvented are GLOB_LIMIT_STRING and GLOB_LIMIT_PATH all others can be crossed by simply calling glob(3) again and with GLOB_APPEND set. The entire description above applies only when GLOB_LIMIT has been specified of course. No limits apply when this flag isn't set! Obtained from: Juniper Networks, Inc
2012-12-01 21:26:46 +00:00
}
return (glob0(pattern, pglob, limit, NULL));
1994-05-27 05:00:24 +00:00
}
/*
* Recursive brace globbing helper. Tries to expand a single brace.
* If it succeeds then it invokes globexp1 with the new pattern.
* If it fails then it tries to glob the rest of the pattern and returns.
*/
static int
globexp2(const Char *ptr, const Char *pattern, glob_t *pglob,
Protect against DoS attacks, such as being described in CVE-2010-2632. The changes were derived from what has been committed to NetBSD, with modifications. These are: 1. Preserve the existsing GLOB_LIMIT behaviour by including the number of matches to the set of parameters to limit. 2. Change some of the limits to avoid impacting normal use cases: GLOB_LIMIT_STRING - change from 65536 to ARG_MAX so that glob(3) can still provide a full command line of expanded names. GLOB_LIMIT_STAT - change from 128 to 1024 for no other reason than that 128 feels too low (it's not a limit that impacts the behaviour of the test program listed in CVE-2010-2632). GLOB_LIMIT_PATH - change from 1024 to 65536 so that glob(3) can still provide a fill command line of expanded names. 3. Protect against buffer overruns when we hit the GLOB_LIMIT_STAT or GLOB_LIMIT_READDIR limits. We append SEP and EOS to pathend in those cases. Return GLOB_ABORTED instead of GLOB_NOSPACE when we would otherwise overrun the buffer. This change also modifies the existing behaviour of glob(3) in case GLOB_LIMIT is specifies by limiting the *new* matches and not all matches. This is an important distinction when GLOB_APPEND is set or when the caller uses a non-zero gl_offs. Previously pre-existing matches or the value of gl_offs would be counted in the number of matches even though the man page states that glob(3) would return GLOB_NOSPACE when gl_matchc or more matches were found. The limits that cannot be circumvented are GLOB_LIMIT_STRING and GLOB_LIMIT_PATH all others can be crossed by simply calling glob(3) again and with GLOB_APPEND set. The entire description above applies only when GLOB_LIMIT has been specified of course. No limits apply when this flag isn't set! Obtained from: Juniper Networks, Inc
2012-12-01 21:26:46 +00:00
struct glob_limit *limit)
1994-05-27 05:00:24 +00:00
{
int i, rv;
1994-05-27 05:00:24 +00:00
Char *lm, *ls;
const Char *pe, *pm, *pm1, *pl;
Char patbuf[MAXPATHLEN];
1994-05-27 05:00:24 +00:00
/* copy part up to the brace */
for (lm = patbuf, pm = pattern; pm != ptr; *lm++ = *pm++)
continue;
*lm = EOS;
1994-05-27 05:00:24 +00:00
ls = lm;
/* Find the balanced brace */
for (i = 0, pe = ++ptr; *pe != EOS; pe++)
1994-05-27 05:00:24 +00:00
if (*pe == LBRACKET) {
/* Ignore everything between [] */
for (pm = pe++; *pe != RBRACKET && *pe != EOS; pe++)
continue;
if (*pe == EOS) {
1995-05-30 05:51:47 +00:00
/*
1994-05-27 05:00:24 +00:00
* We could not find a matching RBRACKET.
* Ignore and just look for RBRACE
*/
pe = pm;
}
}
else if (*pe == LBRACE)
i++;
else if (*pe == RBRACE) {
if (i == 0)
break;
i--;
}
/* Non matching braces; just glob the pattern */
if (i != 0 || *pe == EOS)
return (glob0(pattern, pglob, limit, NULL));
1994-05-27 05:00:24 +00:00
for (i = 0, pl = pm = ptr; pm <= pe; pm++)
switch (*pm) {
case LBRACKET:
/* Ignore everything between [] */
for (pm1 = pm++; *pm != RBRACKET && *pm != EOS; pm++)
1994-05-27 05:00:24 +00:00
continue;
if (*pm == EOS) {
1995-05-30 05:51:47 +00:00
/*
1994-05-27 05:00:24 +00:00
* We could not find a matching RBRACKET.
* Ignore and just look for RBRACE
*/
pm = pm1;
1994-05-27 05:00:24 +00:00
}
break;
case LBRACE:
i++;
break;
case RBRACE:
if (i) {
i--;
break;
}
/* FALLTHROUGH */
case COMMA:
if (i && *pm == COMMA)
break;
else {
/* Append the current string */
for (lm = ls; (pl < pm); *lm++ = *pl++)
continue;
1995-05-30 05:51:47 +00:00
/*
1994-05-27 05:00:24 +00:00
* Append the rest of the pattern after the
* closing brace
*/
for (pl = pe + 1; (*lm++ = *pl++) != EOS;)
continue;
/* Expand the current pattern */
#ifdef DEBUG
qprintf("globexp2:", patbuf);
#endif
rv = globexp1(patbuf, pglob, limit);
if (rv)
return (rv);
1994-05-27 05:00:24 +00:00
/* move after the comma, to the next string */
pl = pm + 1;
}
break;
default:
break;
}
return (0);
1994-05-27 05:00:24 +00:00
}
/*
* expand tilde from the passwd file.
*/
static const Char *
globtilde(const Char *pattern, Char *patbuf, size_t patbuf_len, glob_t *pglob)
1994-05-27 05:00:24 +00:00
{
struct passwd *pwd;
char *h, *sc;
1994-05-27 05:00:24 +00:00
const Char *p;
Char *b, *eb;
wchar_t wc;
wchar_t wbuf[MAXPATHLEN];
wchar_t *wbufend, *dc;
size_t clen;
mbstate_t mbs;
int too_long;
1994-05-27 05:00:24 +00:00
if (*pattern != TILDE || !(pglob->gl_flags & GLOB_TILDE))
return (pattern);
1994-05-27 05:00:24 +00:00
/*
* Copy up to the end of the string or /
*/
eb = &patbuf[patbuf_len - 1];
for (p = pattern + 1, b = patbuf;
b < eb && *p != EOS && UNPROT(*p) != SEP; *b++ = *p++)
1994-05-27 05:00:24 +00:00
continue;
if (*p != EOS && UNPROT(*p) != SEP)
return (NULL);
*b = EOS;
h = NULL;
1994-05-27 05:00:24 +00:00
if (patbuf[0] == EOS) {
1995-05-30 05:51:47 +00:00
/*
* handle a plain ~ or ~/ by expanding $HOME first (iff
* we're not running setuid or setgid) and then trying
* the password file
1994-05-27 05:00:24 +00:00
*/
if (issetugid() != 0 ||
(h = getenv("HOME")) == NULL) {
if (((h = getlogin()) != NULL &&
(pwd = getpwnam(h)) != NULL) ||
(pwd = getpwuid(getuid())) != NULL)
1994-05-27 05:00:24 +00:00
h = pwd->pw_dir;
else
return (pattern);
1994-05-27 05:00:24 +00:00
}
}
else {
/*
* Expand a ~user
*/
if (g_Ctoc(patbuf, (char *)wbuf, sizeof(wbuf)))
return (NULL);
if ((pwd = getpwnam((char *)wbuf)) == NULL)
return (pattern);
1994-05-27 05:00:24 +00:00
else
h = pwd->pw_dir;
}
/* Copy the home directory */
dc = wbuf;
sc = h;
wbufend = wbuf + MAXPATHLEN - 1;
too_long = 1;
memset(&mbs, 0, sizeof(mbs));
while (dc <= wbufend) {
clen = mbrtowc(&wc, sc, MB_LEN_MAX, &mbs);
if (clen == (size_t)-1 || clen == (size_t)-2) {
/* XXX See initial comment #2. */
wc = (unsigned char)*sc;
clen = 1;
memset(&mbs, 0, sizeof(mbs));
}
if ((*dc++ = wc) == EOS) {
too_long = 0;
break;
}
sc += clen;
}
if (too_long)
return (NULL);
dc = wbuf;
for (b = patbuf; b < eb && *dc != EOS; *b++ = *dc++ | M_PROTECT)
continue;
if (*dc != EOS)
return (NULL);
1995-05-30 05:51:47 +00:00
1994-05-27 05:00:24 +00:00
/* Append the rest of the pattern */
if (*p != EOS) {
too_long = 1;
while (b <= eb) {
if ((*b++ = *p++) == EOS) {
too_long = 0;
break;
}
}
if (too_long)
return (NULL);
} else
*b = EOS;
1994-05-27 05:00:24 +00:00
return (patbuf);
1994-05-27 05:00:24 +00:00
}
1995-05-30 05:51:47 +00:00
1994-05-27 05:00:24 +00:00
/*
* The main glob() routine: compiles the pattern (optionally processing
* quotes), calls glob1() to do the real pattern matching, and finally
* sorts the list (unless unsorted operation is requested). Returns 0
* if things went well, nonzero if errors occurred.
1994-05-27 05:00:24 +00:00
*/
static int
glob0(const Char *pattern, glob_t *pglob, struct glob_limit *limit,
const char *origpat) {
1994-05-27 05:00:24 +00:00
const Char *qpatnext;
int err;
size_t oldpathc;
Char *bufnext, c, patbuf[MAXPATHLEN];
1994-05-27 05:00:24 +00:00
qpatnext = globtilde(pattern, patbuf, MAXPATHLEN, pglob);
if (qpatnext == NULL) {
errno = 0;
return (GLOB_NOSPACE);
}
1994-05-27 05:00:24 +00:00
oldpathc = pglob->gl_pathc;
bufnext = patbuf;
/* We don't need to check for buffer overflow any more. */
while ((c = *qpatnext++) != EOS) {
switch (c) {
case LBRACKET:
c = *qpatnext;
if (c == NOT)
++qpatnext;
if (*qpatnext == EOS ||
g_strchr(qpatnext+1, RBRACKET) == NULL) {
1994-05-27 05:00:24 +00:00
*bufnext++ = LBRACKET;
if (c == NOT)
--qpatnext;
break;
}
*bufnext++ = M_SET;
if (c == NOT)
*bufnext++ = M_NOT;
c = *qpatnext++;
do {
*bufnext++ = CHAR(c);
if (*qpatnext == RANGE &&
(c = qpatnext[1]) != RBRACKET) {
*bufnext++ = M_RNG;
*bufnext++ = CHAR(c);
qpatnext += 2;
}
} while ((c = *qpatnext++) != RBRACKET);
pglob->gl_flags |= GLOB_MAGCHAR;
*bufnext++ = M_END;
break;
case QUESTION:
pglob->gl_flags |= GLOB_MAGCHAR;
*bufnext++ = M_ONE;
break;
case STAR:
pglob->gl_flags |= GLOB_MAGCHAR;
1995-05-30 05:51:47 +00:00
/* collapse adjacent stars to one,
1994-05-27 05:00:24 +00:00
* to avoid exponential behavior
*/
if (bufnext == patbuf || bufnext[-1] != M_ALL)
*bufnext++ = M_ALL;
break;
default:
*bufnext++ = CHAR(c);
break;
}
}
*bufnext = EOS;
#ifdef DEBUG
qprintf("glob0:", patbuf);
#endif
if ((err = glob1(patbuf, pglob, limit)) != 0)
1994-05-27 05:00:24 +00:00
return(err);
if (origpat != NULL)
return (globfinal(pglob, limit, oldpathc, origpat));
return (0);
}
static int
globfinal(glob_t *pglob, struct glob_limit *limit, size_t oldpathc,
const char *origpat) {
/*
* If there was no match we are going to append the origpat
* if GLOB_NOCHECK was specified or if GLOB_NOMAGIC was specified
* and the origpat did not contain any magic characters
* GLOB_NOMAGIC is there just for compatibility with csh.
*/
if (pglob->gl_pathc == oldpathc) {
if ((pglob->gl_flags & GLOB_NOCHECK) ||
((pglob->gl_flags & GLOB_NOMAGIC) &&
!(pglob->gl_flags & GLOB_MAGCHAR)))
return (globextend(NULL, pglob, limit, origpat));
else
return (GLOB_NOMATCH);
}
if (!(pglob->gl_flags & GLOB_NOSORT))
qsort(pglob->gl_pathv + pglob->gl_offs + oldpathc,
pglob->gl_pathc - oldpathc, sizeof(char *), compare);
return (0);
1994-05-27 05:00:24 +00:00
}
static int
compare(const void *p, const void *q)
1994-05-27 05:00:24 +00:00
{
return (strcoll(*(char **)p, *(char **)q));
1994-05-27 05:00:24 +00:00
}
static int
Protect against DoS attacks, such as being described in CVE-2010-2632. The changes were derived from what has been committed to NetBSD, with modifications. These are: 1. Preserve the existsing GLOB_LIMIT behaviour by including the number of matches to the set of parameters to limit. 2. Change some of the limits to avoid impacting normal use cases: GLOB_LIMIT_STRING - change from 65536 to ARG_MAX so that glob(3) can still provide a full command line of expanded names. GLOB_LIMIT_STAT - change from 128 to 1024 for no other reason than that 128 feels too low (it's not a limit that impacts the behaviour of the test program listed in CVE-2010-2632). GLOB_LIMIT_PATH - change from 1024 to 65536 so that glob(3) can still provide a fill command line of expanded names. 3. Protect against buffer overruns when we hit the GLOB_LIMIT_STAT or GLOB_LIMIT_READDIR limits. We append SEP and EOS to pathend in those cases. Return GLOB_ABORTED instead of GLOB_NOSPACE when we would otherwise overrun the buffer. This change also modifies the existing behaviour of glob(3) in case GLOB_LIMIT is specifies by limiting the *new* matches and not all matches. This is an important distinction when GLOB_APPEND is set or when the caller uses a non-zero gl_offs. Previously pre-existing matches or the value of gl_offs would be counted in the number of matches even though the man page states that glob(3) would return GLOB_NOSPACE when gl_matchc or more matches were found. The limits that cannot be circumvented are GLOB_LIMIT_STRING and GLOB_LIMIT_PATH all others can be crossed by simply calling glob(3) again and with GLOB_APPEND set. The entire description above applies only when GLOB_LIMIT has been specified of course. No limits apply when this flag isn't set! Obtained from: Juniper Networks, Inc
2012-12-01 21:26:46 +00:00
glob1(Char *pattern, glob_t *pglob, struct glob_limit *limit)
1994-05-27 05:00:24 +00:00
{
Char pathbuf[MAXPATHLEN];
1994-05-27 05:00:24 +00:00
/* A null pathname is invalid -- POSIX 1003.1 sect. 2.4. */
if (*pattern == EOS)
return (0);
return (glob2(pathbuf, pathbuf, pathbuf + MAXPATHLEN - 1,
pattern, pglob, limit));
1994-05-27 05:00:24 +00:00
}
/*
* The functions glob2 and glob3 are mutually recursive; there is one level
* of recursion for each segment in the pattern that contains one or more
* meta characters.
*/
static int
glob2(Char *pathbuf, Char *pathend, Char *pathend_last, Char *pattern,
Protect against DoS attacks, such as being described in CVE-2010-2632. The changes were derived from what has been committed to NetBSD, with modifications. These are: 1. Preserve the existsing GLOB_LIMIT behaviour by including the number of matches to the set of parameters to limit. 2. Change some of the limits to avoid impacting normal use cases: GLOB_LIMIT_STRING - change from 65536 to ARG_MAX so that glob(3) can still provide a full command line of expanded names. GLOB_LIMIT_STAT - change from 128 to 1024 for no other reason than that 128 feels too low (it's not a limit that impacts the behaviour of the test program listed in CVE-2010-2632). GLOB_LIMIT_PATH - change from 1024 to 65536 so that glob(3) can still provide a fill command line of expanded names. 3. Protect against buffer overruns when we hit the GLOB_LIMIT_STAT or GLOB_LIMIT_READDIR limits. We append SEP and EOS to pathend in those cases. Return GLOB_ABORTED instead of GLOB_NOSPACE when we would otherwise overrun the buffer. This change also modifies the existing behaviour of glob(3) in case GLOB_LIMIT is specifies by limiting the *new* matches and not all matches. This is an important distinction when GLOB_APPEND is set or when the caller uses a non-zero gl_offs. Previously pre-existing matches or the value of gl_offs would be counted in the number of matches even though the man page states that glob(3) would return GLOB_NOSPACE when gl_matchc or more matches were found. The limits that cannot be circumvented are GLOB_LIMIT_STRING and GLOB_LIMIT_PATH all others can be crossed by simply calling glob(3) again and with GLOB_APPEND set. The entire description above applies only when GLOB_LIMIT has been specified of course. No limits apply when this flag isn't set! Obtained from: Juniper Networks, Inc
2012-12-01 21:26:46 +00:00
glob_t *pglob, struct glob_limit *limit)
1994-05-27 05:00:24 +00:00
{
struct stat sb;
Char *p, *q;
int anymeta;
/*
* Loop over pattern segments until end of pattern or until
* segment with meta character found.
*/
for (anymeta = 0;;) {
if (*pattern == EOS) { /* End of pattern? */
*pathend = EOS;
if (g_lstat(pathbuf, &sb, pglob))
return (0);
1995-05-30 05:51:47 +00:00
Protect against DoS attacks, such as being described in CVE-2010-2632. The changes were derived from what has been committed to NetBSD, with modifications. These are: 1. Preserve the existsing GLOB_LIMIT behaviour by including the number of matches to the set of parameters to limit. 2. Change some of the limits to avoid impacting normal use cases: GLOB_LIMIT_STRING - change from 65536 to ARG_MAX so that glob(3) can still provide a full command line of expanded names. GLOB_LIMIT_STAT - change from 128 to 1024 for no other reason than that 128 feels too low (it's not a limit that impacts the behaviour of the test program listed in CVE-2010-2632). GLOB_LIMIT_PATH - change from 1024 to 65536 so that glob(3) can still provide a fill command line of expanded names. 3. Protect against buffer overruns when we hit the GLOB_LIMIT_STAT or GLOB_LIMIT_READDIR limits. We append SEP and EOS to pathend in those cases. Return GLOB_ABORTED instead of GLOB_NOSPACE when we would otherwise overrun the buffer. This change also modifies the existing behaviour of glob(3) in case GLOB_LIMIT is specifies by limiting the *new* matches and not all matches. This is an important distinction when GLOB_APPEND is set or when the caller uses a non-zero gl_offs. Previously pre-existing matches or the value of gl_offs would be counted in the number of matches even though the man page states that glob(3) would return GLOB_NOSPACE when gl_matchc or more matches were found. The limits that cannot be circumvented are GLOB_LIMIT_STRING and GLOB_LIMIT_PATH all others can be crossed by simply calling glob(3) again and with GLOB_APPEND set. The entire description above applies only when GLOB_LIMIT has been specified of course. No limits apply when this flag isn't set! Obtained from: Juniper Networks, Inc
2012-12-01 21:26:46 +00:00
if ((pglob->gl_flags & GLOB_LIMIT) &&
limit->l_stat_cnt++ >= GLOB_LIMIT_STAT) {
errno = 0;
return (GLOB_NOSPACE);
}
if ((pglob->gl_flags & GLOB_MARK) &&
UNPROT(pathend[-1]) != SEP &&
(S_ISDIR(sb.st_mode) ||
(S_ISLNK(sb.st_mode) &&
g_stat(pathbuf, &sb, pglob) == 0 &&
1994-05-27 05:00:24 +00:00
S_ISDIR(sb.st_mode)))) {
if (pathend + 1 > pathend_last) {
errno = 0;
return (GLOB_NOSPACE);
}
1994-05-27 05:00:24 +00:00
*pathend++ = SEP;
*pathend = EOS;
}
++pglob->gl_matchc;
return (globextend(pathbuf, pglob, limit, NULL));
1994-05-27 05:00:24 +00:00
}
/* Find end of next segment, copy tentatively to pathend. */
q = pathend;
p = pattern;
while (*p != EOS && UNPROT(*p) != SEP) {
1994-05-27 05:00:24 +00:00
if (ismeta(*p))
anymeta = 1;
if (q + 1 > pathend_last) {
errno = 0;
return (GLOB_NOSPACE);
}
1994-05-27 05:00:24 +00:00
*q++ = *p++;
}
if (!anymeta) { /* No expansion, do next segment. */
pathend = q;
pattern = p;
while (UNPROT(*pattern) == SEP) {
if (pathend + 1 > pathend_last) {
errno = 0;
return (GLOB_NOSPACE);
}
1994-05-27 05:00:24 +00:00
*pathend++ = *pattern++;
}
1994-05-27 05:00:24 +00:00
} else /* Need expansion, recurse. */
return (glob3(pathbuf, pathend, pathend_last, pattern,
p, pglob, limit));
1994-05-27 05:00:24 +00:00
}
/* NOTREACHED */
}
static int
glob3(Char *pathbuf, Char *pathend, Char *pathend_last,
Char *pattern, Char *restpattern,
Protect against DoS attacks, such as being described in CVE-2010-2632. The changes were derived from what has been committed to NetBSD, with modifications. These are: 1. Preserve the existsing GLOB_LIMIT behaviour by including the number of matches to the set of parameters to limit. 2. Change some of the limits to avoid impacting normal use cases: GLOB_LIMIT_STRING - change from 65536 to ARG_MAX so that glob(3) can still provide a full command line of expanded names. GLOB_LIMIT_STAT - change from 128 to 1024 for no other reason than that 128 feels too low (it's not a limit that impacts the behaviour of the test program listed in CVE-2010-2632). GLOB_LIMIT_PATH - change from 1024 to 65536 so that glob(3) can still provide a fill command line of expanded names. 3. Protect against buffer overruns when we hit the GLOB_LIMIT_STAT or GLOB_LIMIT_READDIR limits. We append SEP and EOS to pathend in those cases. Return GLOB_ABORTED instead of GLOB_NOSPACE when we would otherwise overrun the buffer. This change also modifies the existing behaviour of glob(3) in case GLOB_LIMIT is specifies by limiting the *new* matches and not all matches. This is an important distinction when GLOB_APPEND is set or when the caller uses a non-zero gl_offs. Previously pre-existing matches or the value of gl_offs would be counted in the number of matches even though the man page states that glob(3) would return GLOB_NOSPACE when gl_matchc or more matches were found. The limits that cannot be circumvented are GLOB_LIMIT_STRING and GLOB_LIMIT_PATH all others can be crossed by simply calling glob(3) again and with GLOB_APPEND set. The entire description above applies only when GLOB_LIMIT has been specified of course. No limits apply when this flag isn't set! Obtained from: Juniper Networks, Inc
2012-12-01 21:26:46 +00:00
glob_t *pglob, struct glob_limit *limit)
1994-05-27 05:00:24 +00:00
{
struct dirent *dp;
1994-05-27 05:00:24 +00:00
DIR *dirp;
int err, too_long, saverrno;
char buf[MAXPATHLEN + MB_LEN_MAX - 1];
1994-05-27 05:00:24 +00:00
struct dirent *(*readdirfunc)(DIR *);
1994-05-27 05:00:24 +00:00
if (pathend > pathend_last) {
errno = 0;
return (GLOB_NOSPACE);
}
1994-05-27 05:00:24 +00:00
*pathend = EOS;
if (pglob->gl_errfunc != NULL &&
g_Ctoc(pathbuf, buf, sizeof(buf))) {
errno = 0;
return (GLOB_NOSPACE);
}
1995-05-30 05:51:47 +00:00
errno = 0;
1994-05-27 05:00:24 +00:00
if ((dirp = g_opendir(pathbuf, pglob)) == NULL) {
if (errno == ENOENT || errno == ENOTDIR)
return (0);
if ((pglob->gl_errfunc != NULL &&
pglob->gl_errfunc(buf, errno)) ||
(pglob->gl_flags & GLOB_ERR))
return (GLOB_ABORTED);
return (0);
1994-05-27 05:00:24 +00:00
}
err = 0;
/* pglob->gl_readdir takes a void *, fix this manually */
1994-05-27 05:00:24 +00:00
if (pglob->gl_flags & GLOB_ALTDIRFUNC)
readdirfunc = (struct dirent *(*)(DIR *))pglob->gl_readdir;
1994-05-27 05:00:24 +00:00
else
readdirfunc = readdir;
errno = 0;
/* Search directory for matching names. */
while ((dp = (*readdirfunc)(dirp)) != NULL) {
char *sc;
Char *dc;
2004-07-29 03:48:52 +00:00
wchar_t wc;
size_t clen;
mbstate_t mbs;
1994-05-27 05:00:24 +00:00
Protect against DoS attacks, such as being described in CVE-2010-2632. The changes were derived from what has been committed to NetBSD, with modifications. These are: 1. Preserve the existsing GLOB_LIMIT behaviour by including the number of matches to the set of parameters to limit. 2. Change some of the limits to avoid impacting normal use cases: GLOB_LIMIT_STRING - change from 65536 to ARG_MAX so that glob(3) can still provide a full command line of expanded names. GLOB_LIMIT_STAT - change from 128 to 1024 for no other reason than that 128 feels too low (it's not a limit that impacts the behaviour of the test program listed in CVE-2010-2632). GLOB_LIMIT_PATH - change from 1024 to 65536 so that glob(3) can still provide a fill command line of expanded names. 3. Protect against buffer overruns when we hit the GLOB_LIMIT_STAT or GLOB_LIMIT_READDIR limits. We append SEP and EOS to pathend in those cases. Return GLOB_ABORTED instead of GLOB_NOSPACE when we would otherwise overrun the buffer. This change also modifies the existing behaviour of glob(3) in case GLOB_LIMIT is specifies by limiting the *new* matches and not all matches. This is an important distinction when GLOB_APPEND is set or when the caller uses a non-zero gl_offs. Previously pre-existing matches or the value of gl_offs would be counted in the number of matches even though the man page states that glob(3) would return GLOB_NOSPACE when gl_matchc or more matches were found. The limits that cannot be circumvented are GLOB_LIMIT_STRING and GLOB_LIMIT_PATH all others can be crossed by simply calling glob(3) again and with GLOB_APPEND set. The entire description above applies only when GLOB_LIMIT has been specified of course. No limits apply when this flag isn't set! Obtained from: Juniper Networks, Inc
2012-12-01 21:26:46 +00:00
if ((pglob->gl_flags & GLOB_LIMIT) &&
limit->l_readdir_cnt++ >= GLOB_LIMIT_READDIR) {
errno = 0;
err = GLOB_NOSPACE;
Protect against DoS attacks, such as being described in CVE-2010-2632. The changes were derived from what has been committed to NetBSD, with modifications. These are: 1. Preserve the existsing GLOB_LIMIT behaviour by including the number of matches to the set of parameters to limit. 2. Change some of the limits to avoid impacting normal use cases: GLOB_LIMIT_STRING - change from 65536 to ARG_MAX so that glob(3) can still provide a full command line of expanded names. GLOB_LIMIT_STAT - change from 128 to 1024 for no other reason than that 128 feels too low (it's not a limit that impacts the behaviour of the test program listed in CVE-2010-2632). GLOB_LIMIT_PATH - change from 1024 to 65536 so that glob(3) can still provide a fill command line of expanded names. 3. Protect against buffer overruns when we hit the GLOB_LIMIT_STAT or GLOB_LIMIT_READDIR limits. We append SEP and EOS to pathend in those cases. Return GLOB_ABORTED instead of GLOB_NOSPACE when we would otherwise overrun the buffer. This change also modifies the existing behaviour of glob(3) in case GLOB_LIMIT is specifies by limiting the *new* matches and not all matches. This is an important distinction when GLOB_APPEND is set or when the caller uses a non-zero gl_offs. Previously pre-existing matches or the value of gl_offs would be counted in the number of matches even though the man page states that glob(3) would return GLOB_NOSPACE when gl_matchc or more matches were found. The limits that cannot be circumvented are GLOB_LIMIT_STRING and GLOB_LIMIT_PATH all others can be crossed by simply calling glob(3) again and with GLOB_APPEND set. The entire description above applies only when GLOB_LIMIT has been specified of course. No limits apply when this flag isn't set! Obtained from: Juniper Networks, Inc
2012-12-01 21:26:46 +00:00
break;
}
1994-05-27 05:00:24 +00:00
/* Initial DOT must be matched literally. */
if (dp->d_name[0] == '.' && UNPROT(*pattern) != DOT) {
errno = 0;
1994-05-27 05:00:24 +00:00
continue;
}
2004-07-29 03:48:52 +00:00
memset(&mbs, 0, sizeof(mbs));
dc = pathend;
sc = dp->d_name;
too_long = 1;
while (dc <= pathend_last) {
2004-07-29 03:48:52 +00:00
clen = mbrtowc(&wc, sc, MB_LEN_MAX, &mbs);
if (clen == (size_t)-1 || clen == (size_t)-2) {
/* XXX See initial comment #2. */
wc = (unsigned char)*sc;
2004-07-29 03:48:52 +00:00
clen = 1;
memset(&mbs, 0, sizeof(mbs));
}
if ((*dc++ = wc) == EOS) {
too_long = 0;
2004-07-29 03:48:52 +00:00
break;
}
2004-07-29 03:48:52 +00:00
sc += clen;
}
if (too_long || !match(pathend, pattern, restpattern)) {
1994-05-27 05:00:24 +00:00
*pathend = EOS;
errno = 0;
1994-05-27 05:00:24 +00:00
continue;
}
err = glob2(pathbuf, --dc, pathend_last, restpattern,
pglob, limit);
1994-05-27 05:00:24 +00:00
if (err)
break;
errno = 0;
1994-05-27 05:00:24 +00:00
}
saverrno = errno;
1994-05-27 05:00:24 +00:00
if (pglob->gl_flags & GLOB_ALTDIRFUNC)
(*pglob->gl_closedir)(dirp);
else
closedir(dirp);
errno = saverrno;
if (err)
return (err);
if (dp == NULL && errno != 0 && ((pglob->gl_errfunc != NULL &&
pglob->gl_errfunc(buf, errno)) || (pglob->gl_flags & GLOB_ERR)))
return (GLOB_ABORTED);
return (0);
1994-05-27 05:00:24 +00:00
}
/*
2013-04-11 20:15:37 +00:00
* Extend the gl_pathv member of a glob_t structure to accommodate a new item,
1994-05-27 05:00:24 +00:00
* add the new item, and update gl_pathc.
*
* This assumes the BSD realloc, which only copies the block when its size
* crosses a power-of-two boundary; for v7 realloc, this would cause quadratic
* behavior.
*
* Return 0 if new item added, error code if memory couldn't be allocated.
*
* Invariant of the glob_t structure:
* Either gl_pathc is zero and gl_pathv is NULL; or gl_pathc > 0 and
* gl_pathv points to (gl_offs + gl_pathc + 1) items.
*/
static int
globextend(const Char *path, glob_t *pglob, struct glob_limit *limit,
const char *origpat)
1994-05-27 05:00:24 +00:00
{
char **pathv;
size_t i, newsize, len;
1994-05-27 05:00:24 +00:00
char *copy;
const Char *p;
Protect against DoS attacks, such as being described in CVE-2010-2632. The changes were derived from what has been committed to NetBSD, with modifications. These are: 1. Preserve the existsing GLOB_LIMIT behaviour by including the number of matches to the set of parameters to limit. 2. Change some of the limits to avoid impacting normal use cases: GLOB_LIMIT_STRING - change from 65536 to ARG_MAX so that glob(3) can still provide a full command line of expanded names. GLOB_LIMIT_STAT - change from 128 to 1024 for no other reason than that 128 feels too low (it's not a limit that impacts the behaviour of the test program listed in CVE-2010-2632). GLOB_LIMIT_PATH - change from 1024 to 65536 so that glob(3) can still provide a fill command line of expanded names. 3. Protect against buffer overruns when we hit the GLOB_LIMIT_STAT or GLOB_LIMIT_READDIR limits. We append SEP and EOS to pathend in those cases. Return GLOB_ABORTED instead of GLOB_NOSPACE when we would otherwise overrun the buffer. This change also modifies the existing behaviour of glob(3) in case GLOB_LIMIT is specifies by limiting the *new* matches and not all matches. This is an important distinction when GLOB_APPEND is set or when the caller uses a non-zero gl_offs. Previously pre-existing matches or the value of gl_offs would be counted in the number of matches even though the man page states that glob(3) would return GLOB_NOSPACE when gl_matchc or more matches were found. The limits that cannot be circumvented are GLOB_LIMIT_STRING and GLOB_LIMIT_PATH all others can be crossed by simply calling glob(3) again and with GLOB_APPEND set. The entire description above applies only when GLOB_LIMIT has been specified of course. No limits apply when this flag isn't set! Obtained from: Juniper Networks, Inc
2012-12-01 21:26:46 +00:00
if ((pglob->gl_flags & GLOB_LIMIT) &&
pglob->gl_matchc > limit->l_path_lim) {
errno = 0;
return (GLOB_NOSPACE);
}
1994-05-27 05:00:24 +00:00
newsize = sizeof(*pathv) * (2 + pglob->gl_pathc + pglob->gl_offs);
/* realloc(NULL, newsize) is equivalent to malloc(newsize). */
pathv = realloc((void *)pglob->gl_pathv, newsize);
if (pathv == NULL)
return (GLOB_NOSPACE);
1994-05-27 05:00:24 +00:00
if (pglob->gl_pathv == NULL && pglob->gl_offs > 0) {
/* first time around -- clear initial gl_offs items */
pathv += pglob->gl_offs;
for (i = pglob->gl_offs + 1; --i > 0; )
1994-05-27 05:00:24 +00:00
*--pathv = NULL;
}
pglob->gl_pathv = pathv;
if (origpat != NULL)
copy = strdup(origpat);
else {
for (p = path; *p++ != EOS;)
continue;
len = MB_CUR_MAX * (size_t)(p - path); /* XXX overallocation */
if ((copy = malloc(len)) != NULL) {
if (g_Ctoc(path, copy, len)) {
free(copy);
errno = 0;
return (GLOB_NOSPACE);
}
}
}
if (copy != NULL) {
limit->l_string_cnt += strlen(copy) + 1;
if ((pglob->gl_flags & GLOB_LIMIT) &&
limit->l_string_cnt >= GLOB_LIMIT_STRING) {
free(copy);
errno = 0;
return (GLOB_NOSPACE);
}
1994-05-27 05:00:24 +00:00
pathv[pglob->gl_offs + pglob->gl_pathc++] = copy;
}
pathv[pglob->gl_offs + pglob->gl_pathc] = NULL;
return (copy == NULL ? GLOB_NOSPACE : 0);
1994-05-27 05:00:24 +00:00
}
/*
* pattern matching function for filenames. Each occurrence of the *
* pattern causes a recursion level.
*/
static int
match(Char *name, Char *pat, Char *patend)
1994-05-27 05:00:24 +00:00
{
int ok, negate_range;
Char c, k;
struct xlocale_collate *table =
(struct xlocale_collate*)__get_locale()->components[XLC_COLLATE];
1994-05-27 05:00:24 +00:00
while (pat < patend) {
c = *pat++;
switch (c & M_MASK) {
case M_ALL:
if (pat == patend)
return (1);
1995-05-30 05:51:47 +00:00
do
1994-05-27 05:00:24 +00:00
if (match(name, pat, patend))
return (1);
1994-05-27 05:00:24 +00:00
while (*name++ != EOS);
return (0);
1994-05-27 05:00:24 +00:00
case M_ONE:
if (*name++ == EOS)
return (0);
1994-05-27 05:00:24 +00:00
break;
case M_SET:
ok = 0;
if ((k = *name++) == EOS)
return (0);
if ((negate_range = ((*pat & M_MASK) == M_NOT)) != 0)
1994-05-27 05:00:24 +00:00
++pat;
while (((c = *pat++) & M_MASK) != M_END)
if ((*pat & M_MASK) == M_RNG) {
if (table->__collate_load_error ?
CHAR(c) <= CHAR(k) &&
CHAR(k) <= CHAR(pat[1]) :
__wcollate_range_cmp(CHAR(c),
CHAR(k)) <= 0 &&
__wcollate_range_cmp(CHAR(k),
CHAR(pat[1])) <= 0)
1994-05-27 05:00:24 +00:00
ok = 1;
pat += 2;
} else if (c == k)
ok = 1;
if (ok == negate_range)
return (0);
1994-05-27 05:00:24 +00:00
break;
default:
if (*name++ != c)
return (0);
1994-05-27 05:00:24 +00:00
break;
}
}
return (*name == EOS);
1994-05-27 05:00:24 +00:00
}
/* Free allocated data belonging to a glob_t structure. */
void
globfree(glob_t *pglob)
1994-05-27 05:00:24 +00:00
{
size_t i;
char **pp;
1994-05-27 05:00:24 +00:00
if (pglob->gl_pathv != NULL) {
pp = pglob->gl_pathv + pglob->gl_offs;
for (i = pglob->gl_pathc; i--; ++pp)
if (*pp)
free(*pp);
free(pglob->gl_pathv);
pglob->gl_pathv = NULL;
1994-05-27 05:00:24 +00:00
}
}
static DIR *
g_opendir(Char *str, glob_t *pglob)
1994-05-27 05:00:24 +00:00
{
char buf[MAXPATHLEN + MB_LEN_MAX - 1];
1994-05-27 05:00:24 +00:00
if (*str == EOS)
1994-05-27 05:00:24 +00:00
strcpy(buf, ".");
else {
if (g_Ctoc(str, buf, sizeof(buf))) {
errno = ENAMETOOLONG;
return (NULL);
}
}
1994-05-27 05:00:24 +00:00
if (pglob->gl_flags & GLOB_ALTDIRFUNC)
return ((*pglob->gl_opendir)(buf));
1994-05-27 05:00:24 +00:00
return (opendir(buf));
1994-05-27 05:00:24 +00:00
}
static int
g_lstat(Char *fn, struct stat *sb, glob_t *pglob)
1994-05-27 05:00:24 +00:00
{
char buf[MAXPATHLEN + MB_LEN_MAX - 1];
1994-05-27 05:00:24 +00:00
if (g_Ctoc(fn, buf, sizeof(buf))) {
errno = ENAMETOOLONG;
return (-1);
}
1994-05-27 05:00:24 +00:00
if (pglob->gl_flags & GLOB_ALTDIRFUNC)
return((*pglob->gl_lstat)(buf, sb));
return (lstat(buf, sb));
1994-05-27 05:00:24 +00:00
}
static int
g_stat(Char *fn, struct stat *sb, glob_t *pglob)
1994-05-27 05:00:24 +00:00
{
char buf[MAXPATHLEN + MB_LEN_MAX - 1];
1994-05-27 05:00:24 +00:00
if (g_Ctoc(fn, buf, sizeof(buf))) {
errno = ENAMETOOLONG;
return (-1);
}
1994-05-27 05:00:24 +00:00
if (pglob->gl_flags & GLOB_ALTDIRFUNC)
return ((*pglob->gl_stat)(buf, sb));
return (stat(buf, sb));
1994-05-27 05:00:24 +00:00
}
static const Char *
g_strchr(const Char *str, wchar_t ch)
1994-05-27 05:00:24 +00:00
{
1994-05-27 05:00:24 +00:00
do {
if (*str == ch)
return (str);
} while (*str++);
return (NULL);
}
static int
g_Ctoc(const Char *str, char *buf, size_t len)
1994-05-27 05:00:24 +00:00
{
2004-07-29 03:48:52 +00:00
mbstate_t mbs;
size_t clen;
memset(&mbs, 0, sizeof(mbs));
while (len >= MB_CUR_MAX) {
clen = wcrtomb(buf, CHAR(*str), &mbs);
if (clen == (size_t)-1) {
/* XXX See initial comment #2. */
*buf = (char)CHAR(*str);
clen = 1;
memset(&mbs, 0, sizeof(mbs));
}
if (CHAR(*str) == EOS)
return (0);
str++;
2004-07-29 03:48:52 +00:00
buf += clen;
len -= clen;
}
return (1);
1994-05-27 05:00:24 +00:00
}
#ifdef DEBUG
1995-05-30 05:51:47 +00:00
static void
qprintf(const char *str, Char *s)
1994-05-27 05:00:24 +00:00
{
Char *p;
1994-05-27 05:00:24 +00:00
(void)printf("%s\n", str);
if (s != NULL) {
for (p = s; *p != EOS; p++)
(void)printf("%c", (char)CHAR(*p));
(void)printf("\n");
for (p = s; *p != EOS; p++)
(void)printf("%c", (isprot(*p) ? '\\' : ' '));
(void)printf("\n");
for (p = s; *p != EOS; p++)
(void)printf("%c", (ismeta(*p) ? '_' : ' '));
(void)printf("\n");
}
1994-05-27 05:00:24 +00:00
}
#endif