diff options
author | Ondřej Bílka <neleai@seznam.cz> | 2013-10-31 13:58:01 +0100 |
---|---|---|
committer | Ondřej Bílka <neleai@seznam.cz> | 2013-10-31 13:59:01 +0100 |
commit | 5d30d853295a5fe04cad22fdf649c5e0da6ded8c (patch) | |
tree | 9428bf5c8d81db0efbc55c3e51cc0fe94244fb51 /sysdeps | |
parent | 8a43e768d9404c64e0d98d7a54871abad427fd69 (diff) | |
download | glibc-5d30d853295a5fe04cad22fdf649c5e0da6ded8c.tar.gz glibc-5d30d853295a5fe04cad22fdf649c5e0da6ded8c.tar.xz glibc-5d30d853295a5fe04cad22fdf649c5e0da6ded8c.zip |
Restrict shm_open and shm_unlink to SHMDIR. Fixes bugs 14752 and 15763.
Diffstat (limited to 'sysdeps')
-rw-r--r-- | sysdeps/unix/sysv/linux/shm_open.c | 14 |
1 files changed, 8 insertions, 6 deletions
diff --git a/sysdeps/unix/sysv/linux/shm_open.c b/sysdeps/unix/sysv/linux/shm_open.c index 41d93155a7..482b49cfe6 100644 --- a/sysdeps/unix/sysv/linux/shm_open.c +++ b/sysdeps/unix/sysv/linux/shm_open.c @@ -148,14 +148,15 @@ shm_open (const char *name, int oflag, mode_t mode) while (name[0] == '/') ++name; - if (name[0] == '\0') + namelen = strlen (name); + + /* Validate the filename. */ + if (name[0] == '\0' || namelen > NAME_MAX || strchr (name, '/') == NULL) { - /* The name "/" is not supported. */ __set_errno (EINVAL); return -1; } - namelen = strlen (name); fname = (char *) alloca (mountpoint.dirlen + namelen + 1); __mempcpy (__mempcpy (fname, mountpoint.dir, mountpoint.dirlen), name, namelen + 1); @@ -237,14 +238,15 @@ shm_unlink (const char *name) while (name[0] == '/') ++name; - if (name[0] == '\0') + namelen = strlen (name); + + /* Validate the filename. */ + if (name[0] == '\0' || namelen > NAME_MAX || strchr (name, '/') == NULL) { - /* The name "/" is not supported. */ __set_errno (ENOENT); return -1; } - namelen = strlen (name); fname = (char *) alloca (mountpoint.dirlen + namelen + 1); __mempcpy (__mempcpy (fname, mountpoint.dir, mountpoint.dirlen), name, namelen + 1); |