[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PULL 4/7] vvfat: Check that updated filenames are valid
|
From: |
Kevin Wolf |
|
Subject: |
[PULL 4/7] vvfat: Check that updated filenames are valid |
|
Date: |
Fri, 3 Jul 2020 11:21:40 +0200 |
FAT allows only a restricted set of characters in file names, and for
some of the illegal characters, it's actually important that we catch
them: If filenames can contain '/', the guest can construct filenames
containing "../" and escape from the assigned vvfat directory. The same
problem could arise if ".." was ever accepted as a literal filename.
Fix this by adding a check that all filenames are valid in
check_directory_consistency().
Reported-by: Nathan Huckleberry <nhuck15@gmail.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Message-Id: <20200623175534.38286-2-kwolf@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
---
block/vvfat.c | 25 ++++++++++++++++++++++++-
1 file changed, 24 insertions(+), 1 deletion(-)
diff --git a/block/vvfat.c b/block/vvfat.c
index c65a98e3ee..62230542e5 100644
--- a/block/vvfat.c
+++ b/block/vvfat.c
@@ -520,12 +520,31 @@ static void set_begin_of_direntry(direntry_t* direntry,
uint32_t begin)
direntry->begin_hi = cpu_to_le16((begin >> 16) & 0xffff);
}
+static bool valid_filename(const unsigned char *name)
+{
+ unsigned char c;
+ if (!strcmp((const char*)name, ".") || !strcmp((const char*)name, "..")) {
+ return false;
+ }
+ for (; (c = *name); name++) {
+ if (!((c >= '0' && c <= '9') ||
+ (c >= 'A' && c <= 'Z') ||
+ (c >= 'a' && c <= 'z') ||
+ c > 127 ||
+ strchr("$%'-_@~`!(){}^#&.+,;=[]", c) != NULL))
+ {
+ return false;
+ }
+ }
+ return true;
+}
+
static uint8_t to_valid_short_char(gunichar c)
{
c = g_unichar_toupper(c);
if ((c >= '0' && c <= '9') ||
(c >= 'A' && c <= 'Z') ||
- strchr("$%'-_@~`!(){}^#&", c) != 0) {
+ strchr("$%'-_@~`!(){}^#&", c) != NULL) {
return c;
} else {
return 0;
@@ -2098,6 +2117,10 @@ DLOG(fprintf(stderr, "check direntry %d:\n", i);
print_direntry(direntries + i))
}
lfn.checksum = 0x100; /* cannot use long name twice */
+ if (!valid_filename(lfn.name)) {
+ fprintf(stderr, "Invalid file name\n");
+ goto fail;
+ }
if (path_len + 1 + lfn.len >= PATH_MAX) {
fprintf(stderr, "Name too long: %s/%s\n", path, lfn.name);
goto fail;
--
2.25.4
- [PULL 0/7] Block layer patches, Kevin Wolf, 2020/07/03
- [PULL 1/7] qemu-img convert: Don't pre-zero images, Kevin Wolf, 2020/07/03
- [PULL 2/7] qemu-storage-daemon: remember to add qemu_object_opts, Kevin Wolf, 2020/07/03
- [PULL 5/7] vvfat: Fix array_remove_slice(), Kevin Wolf, 2020/07/03
- [PULL 6/7] iotests.py: Do not wait() before communicate(), Kevin Wolf, 2020/07/03
- [PULL 3/7] qemu-storage-daemon: add missing cleanup calls, Kevin Wolf, 2020/07/03
- [PULL 7/7] iotests: Fix 051 output after qdev_init_nofail() removal, Kevin Wolf, 2020/07/03
- [PULL 4/7] vvfat: Check that updated filenames are valid,
Kevin Wolf <=
- Re: [PULL 0/7] Block layer patches, no-reply, 2020/07/03
- Re: [PULL 0/7] Block layer patches, Peter Maydell, 2020/07/04