[src/trunk]: src/lib/libc/gen Avoid DoS attacks for patterns that have braces...

To: source-changes-hg%NetBSD.org@localhost
Subject: [src/trunk]: src/lib/libc/gen Avoid DoS attacks for patterns that have braces...
From: christos <christos%NetBSD.org@localhost>
Date: Mon, 06 Apr 2020 19:08:41 +0000

details:   https://anonhg.NetBSD.org/src/rev/81be6f40d1ae
branches:  trunk
changeset: 756011:81be6f40d1ae
user:      christos <christos%NetBSD.org@localhost>
date:      Fri Jul 02 21:13:10 2010 +0000

description:
Avoid DoS attacks for patterns that have braces. Noted by Maksymilian
Arciemowicz.
XXX: Pullup to 5.x

diffstat:

 lib/libc/gen/glob.c |  38 ++++++++++++++++++++------------------
 1 files changed, 20 insertions(+), 18 deletions(-)

diffs (146 lines):

diff -r a6034343dd09 -r 81be6f40d1ae lib/libc/gen/glob.c
--- a/lib/libc/gen/glob.c       Fri Jul 02 14:47:25 2010 +0000
+++ b/lib/libc/gen/glob.c       Fri Jul 02 21:13:10 2010 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: glob.c,v 1.24 2009/04/08 16:28:50 christos Exp $       */
+/*     $NetBSD: glob.c,v 1.25 2010/07/02 21:13:10 christos Exp $       */
 
 /*
  * Copyright (c) 1989, 1993
@@ -37,7 +37,7 @@
 #if 0
 static char sccsid[] = "@(#)glob.c     8.3 (Berkeley) 10/13/93";
 #else
-__RCSID("$NetBSD: glob.c,v 1.24 2009/04/08 16:28:50 christos Exp $");
+__RCSID("$NetBSD: glob.c,v 1.25 2010/07/02 21:13:10 christos Exp $");
 #endif
 #endif /* LIBC_SCCS and not lint */
 
@@ -155,7 +155,7 @@
 static DIR     *g_opendir(Char *, glob_t *);
 static Char    *g_strchr(const Char *, int);
 static int      g_stat(Char *, __gl_stat_t *, glob_t *);
-static int      glob0(const Char *, glob_t *);
+static int      glob0(const Char *, glob_t *, size_t *);
 static int      glob1(Char *, glob_t *, size_t *);
 static int      glob2(Char *, Char *, Char *, Char *, glob_t *,
     size_t *);
@@ -163,8 +163,9 @@
     size_t *);
 static int      globextend(const Char *, glob_t *, size_t *);
 static const Char *globtilde(const Char *, Char *, size_t, glob_t *);
-static int      globexp1(const Char *, glob_t *);
-static int      globexp2(const Char *, const Char *, glob_t *, int *);
+static int      globexp1(const Char *, glob_t *, size_t *);
+static int      globexp2(const Char *, const Char *, glob_t *, int *,
+    size_t *);
 static int      match(Char *, Char *, Char *);
 #ifdef DEBUG
 static void     qprintf(const char *, Char *);
@@ -177,6 +178,7 @@
        const u_char *patnext;
        int c;
        Char *bufnext, *bufend, patbuf[MAXPATHLEN+1];
+       size_t limit = 0;
 
        _DIAGASSERT(pattern != NULL);
 
@@ -212,9 +214,9 @@
        *bufnext = EOS;
 
        if (flags & GLOB_BRACE)
-           return globexp1(patbuf, pglob);
+           return globexp1(patbuf, pglob, &limit);
        else
-           return glob0(patbuf, pglob);
+           return glob0(patbuf, pglob, &limit);
 }
 
 /*
@@ -223,7 +225,7 @@
  * characters
  */
 static int
-globexp1(const Char *pattern, glob_t *pglob)
+globexp1(const Char *pattern, glob_t *pglob, size_t *limit)
 {
        const Char* ptr = pattern;
        int rv;
@@ -233,13 +235,13 @@
 
        /* Protect a single {}, for find(1), like csh */
        if (pattern[0] == LBRACE && pattern[1] == RBRACE && pattern[2] == EOS)
-               return glob0(pattern, pglob);
+               return glob0(pattern, pglob, limit);
 
        while ((ptr = (const Char *) g_strchr(ptr, LBRACE)) != NULL)
-               if (!globexp2(ptr, pattern, pglob, &rv))
+               if (!globexp2(ptr, pattern, pglob, &rv, limit))
                        return rv;
 
-       return glob0(pattern, pglob);
+       return glob0(pattern, pglob, limit);
 }
 
 
@@ -249,7 +251,8 @@
  * If it fails then it tries to glob the rest of the pattern and returns.
  */
 static int
-globexp2(const Char *ptr, const Char *pattern, glob_t *pglob, int *rv)
+globexp2(const Char *ptr, const Char *pattern, glob_t *pglob, int *rv,
+    size_t *limit)
 {
        int     i;
        Char   *lm, *ls;
@@ -294,7 +297,7 @@
                 * we use `pattern', not `patbuf' here so that that
                 * unbalanced braces are passed to the match
                 */
-               *rv = glob0(pattern, pglob);
+               *rv = glob0(pattern, pglob, limit);
                return 0;
        }
 
@@ -341,7 +344,7 @@
 #ifdef DEBUG
                                qprintf("globexp2:", patbuf);
 #endif
-                               *rv = globexp1(patbuf, pglob);
+                               *rv = globexp1(patbuf, pglob, limit);
 
                                /* move after the comma, to the next string */
                                pl = pm + 1;
@@ -454,13 +457,12 @@
  * to find no matches.
  */
 static int
-glob0(const Char *pattern, glob_t *pglob)
+glob0(const Char *pattern, glob_t *pglob, size_t *limit)
 {
        const Char *qpatnext;
        int c, error;
        __gl_size_t oldpathc;
        Char *bufnext, patbuf[MAXPATHLEN+1];
-       size_t limit = 0;
 
        _DIAGASSERT(pattern != NULL);
        _DIAGASSERT(pglob != NULL);
@@ -523,7 +525,7 @@
        qprintf("glob0:", patbuf);
 #endif
 
-       if ((error = glob1(patbuf, pglob, &limit)) != 0)
+       if ((error = glob1(patbuf, pglob, limit)) != 0)
                return error;
 
        if (pglob->gl_pathc == oldpathc) {      
@@ -537,7 +539,7 @@
                if ((pglob->gl_flags & GLOB_NOCHECK) ||
                    ((pglob->gl_flags & (GLOB_NOMAGIC|GLOB_MAGCHAR))
                     == GLOB_NOMAGIC)) {
-                       return globextend(pattern, pglob, &limit);
+                       return globextend(pattern, pglob, limit);
                } else {
                        return GLOB_NOMATCH;
                }

Prev by Date: [src/trunk]: src/sys/netmpls * correct packet size
Next by Date: [src/trunk]: src/distrib/sets/lists/comp add stl.mi, was previously stl.elf.
Previous by Thread: [src/trunk]: src/sys/netmpls * correct packet size
Next by Thread: [src/trunk]: src/distrib/sets/lists/comp add stl.mi, was previously stl.elf.
Indexes:

Home | Main Index | Thread Index | Old Index