[SA-14:25] Fix kernel stack disclosure in setlogin(2) / getlogin(2).
[SA-14:26] Fix remote command execution in ftp(1). Approved by: so (des)
This commit is contained in:
parent
f669586400
commit
bccb6d5aa1
@ -547,7 +547,7 @@ fetch_url(const char *url, const char *proxyenv, char *proxyauth, char *wwwauth)
|
||||
url_decode(decodedpath);
|
||||
|
||||
if (outfile)
|
||||
savefile = ftp_strdup(outfile);
|
||||
savefile = outfile;
|
||||
else {
|
||||
cp = strrchr(decodedpath, '/'); /* find savefile */
|
||||
if (cp != NULL)
|
||||
@ -571,8 +571,7 @@ fetch_url(const char *url, const char *proxyenv, char *proxyauth, char *wwwauth)
|
||||
rangestart = rangeend = entitylen = -1;
|
||||
mtime = -1;
|
||||
if (restartautofetch) {
|
||||
if (strcmp(savefile, "-") != 0 && *savefile != '|' &&
|
||||
stat(savefile, &sb) == 0)
|
||||
if (stat(savefile, &sb) == 0)
|
||||
restart_point = sb.st_size;
|
||||
}
|
||||
if (urltype == FILE_URL_T) { /* file:// URLs */
|
||||
@ -1098,17 +1097,25 @@ fetch_url(const char *url, const char *proxyenv, char *proxyauth, char *wwwauth)
|
||||
} /* end of ftp:// or http:// specific setup */
|
||||
|
||||
/* Open the output file. */
|
||||
if (strcmp(savefile, "-") == 0) {
|
||||
fout = stdout;
|
||||
} else if (*savefile == '|') {
|
||||
oldintp = xsignal(SIGPIPE, SIG_IGN);
|
||||
fout = popen(savefile + 1, "w");
|
||||
if (fout == NULL) {
|
||||
warn("Can't execute `%s'", savefile + 1);
|
||||
goto cleanup_fetch_url;
|
||||
|
||||
/*
|
||||
* Only trust filenames with special meaning if they came from
|
||||
* the command line
|
||||
*/
|
||||
if (outfile == savefile) {
|
||||
if (strcmp(savefile, "-") == 0) {
|
||||
fout = stdout;
|
||||
} else if (*savefile == '|') {
|
||||
oldintp = xsignal(SIGPIPE, SIG_IGN);
|
||||
fout = popen(savefile + 1, "w");
|
||||
if (fout == NULL) {
|
||||
warn("Can't execute `%s'", savefile + 1);
|
||||
goto cleanup_fetch_url;
|
||||
}
|
||||
closefunc = pclose;
|
||||
}
|
||||
closefunc = pclose;
|
||||
} else {
|
||||
}
|
||||
if (fout == NULL) {
|
||||
if ((rangeend != -1 && rangeend <= restart_point) ||
|
||||
(rangestart == -1 && filesize != -1 && filesize <= restart_point)) {
|
||||
/* already done */
|
||||
@ -1318,7 +1325,8 @@ fetch_url(const char *url, const char *proxyenv, char *proxyauth, char *wwwauth)
|
||||
(*closefunc)(fout);
|
||||
if (res0)
|
||||
freeaddrinfo(res0);
|
||||
FREEPTR(savefile);
|
||||
if (savefile != outfile)
|
||||
FREEPTR(savefile);
|
||||
FREEPTR(uuser);
|
||||
if (pass != NULL)
|
||||
memset(pass, 0, strlen(pass));
|
||||
|
@ -2066,21 +2066,20 @@ struct getlogin_args {
|
||||
int
|
||||
sys_getlogin(struct thread *td, struct getlogin_args *uap)
|
||||
{
|
||||
int error;
|
||||
char login[MAXLOGNAME];
|
||||
struct proc *p = td->td_proc;
|
||||
size_t len;
|
||||
|
||||
if (uap->namelen > MAXLOGNAME)
|
||||
uap->namelen = MAXLOGNAME;
|
||||
PROC_LOCK(p);
|
||||
SESS_LOCK(p->p_session);
|
||||
bcopy(p->p_session->s_login, login, uap->namelen);
|
||||
len = strlcpy(login, p->p_session->s_login, uap->namelen) + 1;
|
||||
SESS_UNLOCK(p->p_session);
|
||||
PROC_UNLOCK(p);
|
||||
if (strlen(login) + 1 > uap->namelen)
|
||||
if (len > uap->namelen)
|
||||
return (ERANGE);
|
||||
error = copyout(login, uap->namebuf, uap->namelen);
|
||||
return (error);
|
||||
return (copyout(login, uap->namebuf, len));
|
||||
}
|
||||
|
||||
/*
|
||||
@ -2099,21 +2098,23 @@ sys_setlogin(struct thread *td, struct setlogin_args *uap)
|
||||
int error;
|
||||
char logintmp[MAXLOGNAME];
|
||||
|
||||
CTASSERT(sizeof(p->p_session->s_login) >= sizeof(logintmp));
|
||||
|
||||
error = priv_check(td, PRIV_PROC_SETLOGIN);
|
||||
if (error)
|
||||
return (error);
|
||||
error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL);
|
||||
if (error == ENAMETOOLONG)
|
||||
error = EINVAL;
|
||||
else if (!error) {
|
||||
PROC_LOCK(p);
|
||||
SESS_LOCK(p->p_session);
|
||||
(void) memcpy(p->p_session->s_login, logintmp,
|
||||
sizeof(logintmp));
|
||||
SESS_UNLOCK(p->p_session);
|
||||
PROC_UNLOCK(p);
|
||||
if (error != 0) {
|
||||
if (error == ENAMETOOLONG)
|
||||
error = EINVAL;
|
||||
return (error);
|
||||
}
|
||||
return (error);
|
||||
PROC_LOCK(p);
|
||||
SESS_LOCK(p->p_session);
|
||||
strcpy(p->p_session->s_login, logintmp);
|
||||
SESS_UNLOCK(p->p_session);
|
||||
PROC_UNLOCK(p);
|
||||
return (0);
|
||||
}
|
||||
|
||||
void
|
||||
|
Loading…
Reference in New Issue
Block a user