diff options
| author | Konstantin Belousov <kib@FreeBSD.org> | 2021-02-28 00:15:21 +0000 |
|---|---|---|
| committer | Konstantin Belousov <kib@FreeBSD.org> | 2021-03-02 18:21:35 +0000 |
| commit | 49c98a4bf3a87ace0df99056fa683805c1645e61 (patch) | |
| tree | 703a7919b387ba39457882b50efcc2c1e3f1073d | |
| parent | e8a2862aa0384c75603f801625e309a3dae0ed05 (diff) | |
| download | src-49c98a4bf3a87ace0df99056fa683805c1645e61.tar.gz src-49c98a4bf3a87ace0df99056fa683805c1645e61.zip | |
nameicap_check_dotdot: trim tracker on check
Tracker should contain exactly the path from the starting directory to
the current lookup point. Otherwise we might not detect some cases of
dotdot escape. Consequently, if we are walking up the tree by dotdot
lookup, we must remove an entries below the walked directory.
Reviewed by: markj
Tested by: arichardson, pho
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D28907
| -rw-r--r-- | sys/kern/vfs_lookup.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/sys/kern/vfs_lookup.c b/sys/kern/vfs_lookup.c index abc01c73e24c..b4280f85c5b6 100644 --- a/sys/kern/vfs_lookup.c +++ b/sys/kern/vfs_lookup.c @@ -240,8 +240,12 @@ nameicap_check_dotdot(struct nameidata *ndp, struct vnode *dp) return (ENOTCAPABLE); TAILQ_FOREACH_REVERSE(nt, &ndp->ni_cap_tracker, nameicap_tracker_head, nm_link) { - if (dp == nt->dp) + if (dp == nt->dp) { + nt = TAILQ_NEXT(nt, nm_link); + if (nt != NULL) + nameicap_cleanup_from(ndp, nt); return (0); + } } return (ENOTCAPABLE); } |