From 5d30d853295a5fe04cad22fdf649c5e0da6ded8c Mon Sep 17 00:00:00 2001
From: Ondřej Bílka <neleai@seznam.cz>
Date: Thu, 31 Oct 2013 13:58:01 +0100
Subject: Restrict shm_open and shm_unlink to SHMDIR. Fixes bugs 14752 and
 15763.

---
 sysdeps/unix/sysv/linux/shm_open.c | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

(limited to 'sysdeps/unix')

diff --git a/sysdeps/unix/sysv/linux/shm_open.c b/sysdeps/unix/sysv/linux/shm_open.c
index 41d93155a7..482b49cfe6 100644
--- a/sysdeps/unix/sysv/linux/shm_open.c
+++ b/sysdeps/unix/sysv/linux/shm_open.c
@@ -148,14 +148,15 @@ shm_open (const char *name, int oflag, mode_t mode)
   while (name[0] == '/')
     ++name;
 
-  if (name[0] == '\0')
+  namelen = strlen (name);
+
+  /* Validate the filename.  */
+  if (name[0] == '\0' || namelen > NAME_MAX || strchr (name, '/') == NULL)
     {
-      /* The name "/" is not supported.  */
       __set_errno (EINVAL);
       return -1;
     }
 
-  namelen = strlen (name);
   fname = (char *) alloca (mountpoint.dirlen + namelen + 1);
   __mempcpy (__mempcpy (fname, mountpoint.dir, mountpoint.dirlen),
 	     name, namelen + 1);
@@ -237,14 +238,15 @@ shm_unlink (const char *name)
   while (name[0] == '/')
     ++name;
 
-  if (name[0] == '\0')
+  namelen = strlen (name);
+
+  /* Validate the filename.  */
+  if (name[0] == '\0' || namelen > NAME_MAX || strchr (name, '/') == NULL)
     {
-      /* The name "/" is not supported.  */
       __set_errno (ENOENT);
       return -1;
     }
 
-  namelen = strlen (name);
   fname = (char *) alloca (mountpoint.dirlen + namelen + 1);
   __mempcpy (__mempcpy (fname, mountpoint.dir, mountpoint.dirlen),
 	     name, namelen + 1);
-- 
cgit v1.2.3