diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2020-12-14 23:05:10 +0300 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2020-12-14 23:05:10 +0300 |
| commit | da0628559871475b482f015dc24c9bef372936e4 (patch) | |
| tree | 321af8748bb3de173183d3d86816a7f46254dd9b /security/tomoyo/util.c | |
| parent | fab0fca1da5cdc48be051715cd9787df04fdce3a (diff) | |
| parent | 15269fb193108ba8a3774507d0bbd70949ab610d (diff) | |
| download | linux-da0628559871475b482f015dc24c9bef372936e4.tar.xz | |
Merge tag 'tomoyo-pr-20201214' of git://git.osdn.net/gitroot/tomoyo/tomoyo-test1
Pull tomoyo updates from Tetsuo Handa:
"Limit recursion depth, fix clang warning, fix comment typo, and
silence memory allocation failure warning"
* tag 'tomoyo-pr-20201214' of git://git.osdn.net/gitroot/tomoyo/tomoyo-test1:
tomoyo: Fix typo in comments.
tomoyo: Fix null pointer check
tomoyo: Limit wildcard recursion depth.
tomoyo: fix clang pointer arithmetic warning
tomoyo: Loosen pathname/domainname validation.
Diffstat (limited to 'security/tomoyo/util.c')
| -rw-r--r-- | security/tomoyo/util.c | 55 |
1 files changed, 30 insertions, 25 deletions
diff --git a/security/tomoyo/util.c b/security/tomoyo/util.c index a40abb0b91ee..176b803ebcfc 100644 --- a/security/tomoyo/util.c +++ b/security/tomoyo/util.c @@ -434,59 +434,64 @@ void tomoyo_normalize_line(unsigned char *buffer) */ static bool tomoyo_correct_word2(const char *string, size_t len) { + u8 recursion = 20; const char *const start = string; bool in_repetition = false; - unsigned char c; - unsigned char d; - unsigned char e; if (!len) goto out; while (len--) { - c = *string++; + unsigned char c = *string++; + if (c == '\\') { if (!len--) goto out; c = *string++; + if (c >= '0' && c <= '3') { + unsigned char d; + unsigned char e; + + if (!len-- || !len--) + goto out; + d = *string++; + e = *string++; + if (d < '0' || d > '7' || e < '0' || e > '7') + goto out; + c = tomoyo_make_byte(c, d, e); + if (c <= ' ' || c >= 127) + continue; + goto out; + } switch (c) { case '\\': /* "\\" */ - continue; - case '$': /* "\$" */ case '+': /* "\+" */ case '?': /* "\?" */ + case 'x': /* "\x" */ + case 'a': /* "\a" */ + case '-': /* "\-" */ + continue; + } + if (!recursion--) + goto out; + switch (c) { case '*': /* "\*" */ case '@': /* "\@" */ - case 'x': /* "\x" */ + case '$': /* "\$" */ case 'X': /* "\X" */ - case 'a': /* "\a" */ case 'A': /* "\A" */ - case '-': /* "\-" */ continue; case '{': /* "/\{" */ if (string - 3 < start || *(string - 3) != '/') - break; + goto out; in_repetition = true; continue; case '}': /* "\}/" */ if (*string != '/') - break; + goto out; if (!in_repetition) - break; + goto out; in_repetition = false; continue; - case '0': /* "\ooo" */ - case '1': - case '2': - case '3': - if (!len-- || !len--) - break; - d = *string++; - e = *string++; - if (d < '0' || d > '7' || e < '0' || e > '7') - break; - c = tomoyo_make_byte(c, d, e); - if (c <= ' ' || c >= 127) - continue; } goto out; } else if (in_repetition && c == '/') { |