[moving from security@ to hackers@]
Jakub Lach <
jakub_lach@...> writes:
>
http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/21768Like bde@ pointed out, the patch is incorrect. It moves the test for
v_type != VDIR up to a point where, in the case of a symlink, v_type is
always (by definition) VLNK.
The reason why the current code does not work is that, in the symlink
case, the v_type != VDIR test is never reached: we will have jumped to
either bad2 or success. However, it should be safe to move the test to
after the success label, because trailing_slash is only ever true for
the last component of the path we were asked to look up (see lines 520
through 535).
The attached patch should work.
DES
--
Dag-Erling Smørgrav -
des@...
Index: sys/kern/vfs_lookup.c
===================================================================
--- sys/kern/vfs_lookup.c (revision 192614)
+++ sys/kern/vfs_lookup.c (working copy)
@@ -800,14 +800,6 @@
goto success;
}
- /*
- * Check for bogus trailing slashes.
- */
- if (trailing_slash && dp->v_type != VDIR) {
- error = ENOTDIR;
- goto bad2;
- }
-
nextname:
/*
* Not a symbolic link. If more pathname,
@@ -861,6 +853,14 @@
VOP_UNLOCK(dp, 0);
success:
/*
+ * Check for bogus trailing slashes.
+ */
+ if (trailing_slash && dp->v_type != VDIR) {
+ error = ENOTDIR;
+ goto bad2;
+ }
+
+ /*
* Because of lookup_shared we may have the vnode shared locked, but
* the caller may want it to be exclusively locked.
*/
_______________________________________________
freebsd-security@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-securityTo unsubscribe, send any mail to "
freebsd-security-unsubscribe@..."
