Limit wildcard recursion depth.
trunk/caitsith-patch/README.caitsith (diff)
trunk/caitsith-patch/security/caitsith/policy_io.c (diff) trunk/caitsith-patch/caitsith/policy_io.c (diff)| @@ -1362,6 +1362,7 @@ | ||
| 1362 | 1362 | */ |
| 1363 | 1363 | static bool cs_correct_word(const char *string) |
| 1364 | 1364 | { |
| 1365 | + u8 recursion = 20; | |
| 1365 | 1366 | const char *const start = string; |
| 1366 | 1367 | u8 in_repetition = 0; |
| 1367 | 1368 | if (!*string) |
| @@ -1390,16 +1391,22 @@ | ||
| 1390 | 1391 | goto out; |
| 1391 | 1392 | } |
| 1392 | 1393 | switch (c) { |
| 1393 | - case '$': /* "\$" */ | |
| 1394 | 1394 | case '+': /* "\+" */ |
| 1395 | 1395 | case '?': /* "\?" */ |
| 1396 | + case 'x': /* "\x" */ | |
| 1397 | + case 'a': /* "\a" */ | |
| 1398 | + case '-': /* "\-" */ | |
| 1399 | + continue; | |
| 1400 | + } | |
| 1401 | + /* Reject too deep wildcard that consumes too much stack. */ | |
| 1402 | + if (!recursion--) | |
| 1403 | + goto out; | |
| 1404 | + switch (c) { | |
| 1396 | 1405 | case '*': /* "\*" */ |
| 1397 | 1406 | case '@': /* "\@" */ |
| 1398 | - case 'x': /* "\x" */ | |
| 1407 | + case '$': /* "\$" */ | |
| 1399 | 1408 | case 'X': /* "\X" */ |
| 1400 | - case 'a': /* "\a" */ | |
| 1401 | 1409 | case 'A': /* "\A" */ |
| 1402 | - case '-': /* "\-" */ | |
| 1403 | 1410 | continue; |
| 1404 | 1411 | case '{': /* "/\{" */ |
| 1405 | 1412 | if (string - 3 < start || *(string - 3) != '/') |
| @@ -1319,6 +1319,7 @@ | ||
| 1319 | 1319 | */ |
| 1320 | 1320 | static bool cs_correct_word(const char *string) |
| 1321 | 1321 | { |
| 1322 | + u8 recursion = 20; | |
| 1322 | 1323 | const char *const start = string; |
| 1323 | 1324 | u8 in_repetition = 0; |
| 1324 | 1325 | if (!*string) |
| @@ -1347,16 +1348,22 @@ | ||
| 1347 | 1348 | goto out; |
| 1348 | 1349 | } |
| 1349 | 1350 | switch (c) { |
| 1350 | - case '$': /* "\$" */ | |
| 1351 | 1351 | case '+': /* "\+" */ |
| 1352 | 1352 | case '?': /* "\?" */ |
| 1353 | + case 'x': /* "\x" */ | |
| 1354 | + case 'a': /* "\a" */ | |
| 1355 | + case '-': /* "\-" */ | |
| 1356 | + continue; | |
| 1357 | + } | |
| 1358 | + /* Reject too deep wildcard that consumes too much stack. */ | |
| 1359 | + if (!recursion--) | |
| 1360 | + goto out; | |
| 1361 | + switch (c) { | |
| 1353 | 1362 | case '*': /* "\*" */ |
| 1354 | 1363 | case '@': /* "\@" */ |
| 1355 | - case 'x': /* "\x" */ | |
| 1364 | + case '$': /* "\$" */ | |
| 1356 | 1365 | case 'X': /* "\X" */ |
| 1357 | - case 'a': /* "\a" */ | |
| 1358 | 1366 | case 'A': /* "\A" */ |
| 1359 | - case '-': /* "\-" */ | |
| 1360 | 1367 | continue; |
| 1361 | 1368 | case '{': /* "/\{" */ |
| 1362 | 1369 | if (string - 3 < start || *(string - 3) != '/') |