Protect against DoS attacks, such as being described in CVE-2010-2632.
The changes were derived from what has been committed to NetBSD, with
modifications. These are:
1. Preserve the existsing GLOB_LIMIT behaviour by including the number
of matches to the set of parameters to limit.
2. Change some of the limits to avoid impacting normal use cases:
GLOB_LIMIT_STRING - change from 65536 to ARG_MAX so that glob(3)
can still provide a full command line of expanded names.
GLOB_LIMIT_STAT - change from 128 to 1024 for no other reason than
that 128 feels too low (it's not a limit that impacts the
behaviour of the test program listed in CVE-2010-2632).
GLOB_LIMIT_PATH - change from 1024 to 65536 so that glob(3) can
still provide a fill command line of expanded names.
3. Protect against buffer overruns when we hit the GLOB_LIMIT_STAT or
GLOB_LIMIT_READDIR limits. We append SEP and EOS to pathend in
those cases. Return GLOB_ABORTED instead of GLOB_NOSPACE when we
would otherwise overrun the buffer.
This change also modifies the existing behaviour of glob(3) in case
GLOB_LIMIT is specifies by limiting the *new* matches and not all
matches. This is an important distinction when GLOB_APPEND is set or
when the caller uses a non-zero gl_offs. Previously pre-existing
matches or the value of gl_offs would be counted in the number of
matches even though the man page states that glob(3) would return
GLOB_NOSPACE when gl_matchc or more matches were found.
The limits that cannot be circumvented are GLOB_LIMIT_STRING and
GLOB_LIMIT_PATH all others can be crossed by simply calling glob(3)
again and with GLOB_APPEND set.
The entire description above applies only when GLOB_LIMIT has been
specified of course. No limits apply when this flag isn't set!
Obtained from: Juniper Networks, Inc
This commit is contained in:
Marcel Moolenaar
parent
ff08349df5
commit
daab0b01ed
@ -94,6 +94,25 @@ __FBSDID("$FreeBSD$");
|
||||
|
||||
#include "collate.h"
|
||||
|
||||
/*
|
||||
* glob(3) expansion limits. Stop the expansion if any of these limits
|
||||
* is reached. This caps the runtime in the face of DoS attacks. See
|
||||
* also CVE-2010-2632
|
||||
*/
|
||||
#define GLOB_LIMIT_BRACE 128 /* number of brace calls */
|
||||
#define GLOB_LIMIT_PATH 65536 /* number of path elements */
|
||||
#define GLOB_LIMIT_READDIR 16384 /* number of readdirs */
|
||||
#define GLOB_LIMIT_STAT 1024 /* number of stat system calls */
|
||||
#define GLOB_LIMIT_STRING ARG_MAX /* maximum total size for paths */
|
||||
|
||||
struct glob_limit {
|
||||
size_t l_brace_cnt;
|
||||
size_t l_path_lim;
|
||||
size_t l_readdir_cnt;
|
||||
size_t l_stat_cnt;
|
||||
size_t l_string_cnt;
|
||||
};
|
||||
|
||||
#define DOLLAR '$'
|
||||
#define DOT '.'
|
||||
#define EOS '\0'
|
||||
@ -153,15 +172,18 @@ static const Char *g_strchr(const Char *, wchar_t);
|
||||
static Char *g_strcat(Char *, const Char *);
|
||||
#endif
|
||||
static int g_stat(Char *, struct stat *, glob_t *);
|
||||
static int glob0(const Char *, glob_t *, size_t *);
|
||||
static int glob1(Char *, glob_t *, size_t *);
|
||||
static int glob2(Char *, Char *, Char *, Char *, glob_t *, size_t *);
|
||||
static int glob3(Char *, Char *, Char *, Char *, Char *, glob_t *, size_t *);
|
||||
static int globextend(const Char *, glob_t *, size_t *);
|
||||
static const Char *
|
||||
static int glob0(const Char *, glob_t *, struct glob_limit *);
|
||||
static int glob1(Char *, glob_t *, struct glob_limit *);
|
||||
static int glob2(Char *, Char *, Char *, Char *, glob_t *,
|
||||
struct glob_limit *);
|
||||
static int glob3(Char *, Char *, Char *, Char *, Char *, glob_t *,
|
||||
struct glob_limit *);
|
||||
static int globextend(const Char *, glob_t *, struct glob_limit *);
|
||||
static const Char *
|
||||
globtilde(const Char *, Char *, size_t, glob_t *);
|
||||
static int globexp1(const Char *, glob_t *, size_t *);
|
||||
static int globexp2(const Char *, const Char *, glob_t *, int *, size_t *);
|
||||
static int globexp1(const Char *, glob_t *, struct glob_limit *);
|
||||
static int globexp2(const Char *, const Char *, glob_t *, int *,
|
||||
struct glob_limit *);
|
||||
static int match(Char *, Char *, Char *);
|
||||
#ifdef DEBUG
|
||||
static void qprintf(const char *, Char *);
|
||||
@ -171,8 +193,8 @@ int
|
||||
glob(const char * __restrict pattern, int flags,
|
||||
int (*errfunc)(const char *, int), glob_t * __restrict pglob)
|
||||
{
|
||||
struct glob_limit limit = { 0, 0, 0, 0, 0 };
|
||||
const char *patnext;
|
||||
size_t limit;
|
||||
Char *bufnext, *bufend, patbuf[MAXPATHLEN], prot;
|
||||
mbstate_t mbs;
|
||||
wchar_t wc;
|
||||
@ -186,11 +208,10 @@ glob(const char * __restrict pattern, int flags,
|
||||
pglob->gl_offs = 0;
|
||||
}
|
||||
if (flags & GLOB_LIMIT) {
|
||||
limit = pglob->gl_matchc;
|
||||
if (limit == 0)
|
||||
limit = ARG_MAX;
|
||||
} else
|
||||
limit = 0;
|
||||
limit.l_path_lim = pglob->gl_matchc;
|
||||
if (limit.l_path_lim == 0)
|
||||
limit.l_path_lim = GLOB_LIMIT_PATH;
|
||||
}
|
||||
pglob->gl_flags = flags & ~GLOB_MAGCHAR;
|
||||
pglob->gl_errfunc = errfunc;
|
||||
pglob->gl_matchc = 0;
|
||||
@ -243,11 +264,17 @@ glob(const char * __restrict pattern, int flags,
|
||||
* characters
|
||||
*/
|
||||
static int
|
||||
globexp1(const Char *pattern, glob_t *pglob, size_t *limit)
|
||||
globexp1(const Char *pattern, glob_t *pglob, struct glob_limit *limit)
|
||||
{
|
||||
const Char* ptr = pattern;
|
||||
int rv;
|
||||
|
||||
if ((pglob->gl_flags & GLOB_LIMIT) &&
|
||||
limit->l_brace_cnt++ >= GLOB_LIMIT_BRACE) {
|
||||
errno = 0;
|
||||
return (GLOB_NOSPACE);
|
||||
}
|
||||
|
||||
/* Protect a single {}, for find(1), like csh */
|
||||
if (pattern[0] == LBRACE && pattern[1] == RBRACE && pattern[2] == EOS)
|
||||
return glob0(pattern, pglob, limit);
|
||||
@ -266,7 +293,8 @@ globexp1(const Char *pattern, glob_t *pglob, size_t *limit)
|
||||
* If it fails then it tries to glob the rest of the pattern and returns.
|
||||
*/
|
||||
static int
|
||||
globexp2(const Char *ptr, const Char *pattern, glob_t *pglob, int *rv, size_t *limit)
|
||||
globexp2(const Char *ptr, const Char *pattern, glob_t *pglob, int *rv,
|
||||
struct glob_limit *limit)
|
||||
{
|
||||
int i;
|
||||
Char *lm, *ls;
|
||||
@ -436,7 +464,7 @@ globtilde(const Char *pattern, Char *patbuf, size_t patbuf_len, glob_t *pglob)
|
||||
* if things went well, nonzero if errors occurred.
|
||||
*/
|
||||
static int
|
||||
glob0(const Char *pattern, glob_t *pglob, size_t *limit)
|
||||
glob0(const Char *pattern, glob_t *pglob, struct glob_limit *limit)
|
||||
{
|
||||
const Char *qpatnext;
|
||||
int err;
|
||||
@ -529,7 +557,7 @@ compare(const void *p, const void *q)
|
||||
}
|
||||
|
||||
static int
|
||||
glob1(Char *pattern, glob_t *pglob, size_t *limit)
|
||||
glob1(Char *pattern, glob_t *pglob, struct glob_limit *limit)
|
||||
{
|
||||
Char pathbuf[MAXPATHLEN];
|
||||
|
||||
@ -547,7 +575,7 @@ glob1(Char *pattern, glob_t *pglob, size_t *limit)
|
||||
*/
|
||||
static int
|
||||
glob2(Char *pathbuf, Char *pathend, Char *pathend_last, Char *pattern,
|
||||
glob_t *pglob, size_t *limit)
|
||||
glob_t *pglob, struct glob_limit *limit)
|
||||
{
|
||||
struct stat sb;
|
||||
Char *p, *q;
|
||||
@ -563,6 +591,15 @@ glob2(Char *pathbuf, Char *pathend, Char *pathend_last, Char *pattern,
|
||||
if (g_lstat(pathbuf, &sb, pglob))
|
||||
return (0);
|
||||
|
||||
if ((pglob->gl_flags & GLOB_LIMIT) &&
|
||||
limit->l_stat_cnt++ >= GLOB_LIMIT_STAT) {
|
||||
errno = 0;
|
||||
if (pathend + 1 > pathend_last)
|
||||
return (GLOB_ABORTED);
|
||||
*pathend++ = SEP;
|
||||
*pathend = EOS;
|
||||
return (GLOB_NOSPACE);
|
||||
}
|
||||
if (((pglob->gl_flags & GLOB_MARK) &&
|
||||
pathend[-1] != SEP) && (S_ISDIR(sb.st_mode)
|
||||
|| (S_ISLNK(sb.st_mode) &&
|
||||
@ -606,7 +643,7 @@ glob2(Char *pathbuf, Char *pathend, Char *pathend_last, Char *pattern,
|
||||
static int
|
||||
glob3(Char *pathbuf, Char *pathend, Char *pathend_last,
|
||||
Char *pattern, Char *restpattern,
|
||||
glob_t *pglob, size_t *limit)
|
||||
glob_t *pglob, struct glob_limit *limit)
|
||||
{
|
||||
struct dirent *dp;
|
||||
DIR *dirp;
|
||||
@ -652,6 +689,19 @@ glob3(Char *pathbuf, Char *pathend, Char *pathend_last,
|
||||
size_t clen;
|
||||
mbstate_t mbs;
|
||||
|
||||
if ((pglob->gl_flags & GLOB_LIMIT) &&
|
||||
limit->l_readdir_cnt++ >= GLOB_LIMIT_READDIR) {
|
||||
errno = 0;
|
||||
if (pathend + 1 > pathend_last)
|
||||
err = GLOB_ABORTED;
|
||||
else {
|
||||
*pathend++ = SEP;
|
||||
*pathend = EOS;
|
||||
err = GLOB_NOSPACE;
|
||||
}
|
||||
break;
|
||||
}
|
||||
|
||||
/* Initial DOT must be matched literally. */
|
||||
if (dp->d_name[0] == DOT && *pattern != DOT)
|
||||
continue;
|
||||
@ -702,14 +752,15 @@ glob3(Char *pathbuf, Char *pathend, Char *pathend_last,
|
||||
* gl_pathv points to (gl_offs + gl_pathc + 1) items.
|
||||
*/
|
||||
static int
|
||||
globextend(const Char *path, glob_t *pglob, size_t *limit)
|
||||
globextend(const Char *path, glob_t *pglob, struct glob_limit *limit)
|
||||
{
|
||||
char **pathv;
|
||||
size_t i, newsize, len;
|
||||
char *copy;
|
||||
const Char *p;
|
||||
|
||||
if (*limit && pglob->gl_pathc > *limit) {
|
||||
if ((pglob->gl_flags & GLOB_LIMIT) &&
|
||||
pglob->gl_matchc > limit->l_path_lim) {
|
||||
errno = 0;
|
||||
return (GLOB_NOSPACE);
|
||||
}
|
||||
@ -731,6 +782,12 @@ globextend(const Char *path, glob_t *pglob, size_t *limit)
|
||||
for (p = path; *p++;)
|
||||
continue;
|
||||
len = MB_CUR_MAX * (size_t)(p - path); /* XXX overallocation */
|
||||
limit->l_string_cnt += len;
|
||||
if ((pglob->gl_flags & GLOB_LIMIT) &&
|
||||
limit->l_string_cnt >= GLOB_LIMIT_STRING) {
|
||||
errno = 0;
|
||||
return (GLOB_NOSPACE);
|
||||
}
|
||||
if ((copy = malloc(len)) != NULL) {
|
||||
if (g_Ctoc(path, copy, len)) {
|
||||
free(copy);
|
||||
|
||||
Loading…
Reference in New Issue
Block a user