aboutsummaryrefslogtreecommitdiff
path: root/tools/virtiofsd
diff options
context:
space:
mode:
authorGreg Kurz <groug@kaod.org>2021-03-12 15:10:03 +0100
committerDr. David Alan Gilbert <dgilbert@redhat.com>2021-03-15 20:01:55 +0000
commit28d1ad0ea41342472afda15b515d95671eac4030 (patch)
treef4fd54263e44b1645da54323acc1ef7ceeca4a24 /tools/virtiofsd
parent6d118c4349966a1890d00bbbdc42001f173c6e4d (diff)
downloadqemu-28d1ad0ea41342472afda15b515d95671eac4030.zip
qemu-28d1ad0ea41342472afda15b515d95671eac4030.tar.gz
qemu-28d1ad0ea41342472afda15b515d95671eac4030.tar.bz2
virtiofsd: Don't allow empty filenames
POSIX.1-2017 clearly stipulates that empty filenames aren't allowed ([1] and [2]). Since virtiofsd is supposed to mirror the host file system hierarchy and the host can be assumed to be linux, we don't really expect clients to pass requests with an empty path in it. If they do so anyway, this would eventually cause an error when trying to create/lookup the actual inode on the underlying POSIX filesystem. But this could still confuse some code that wouldn't be ready to cope with this. Filter out empty names coming from the client at the top level, so that the rest doesn't have to care about it. This is done everywhere we already call is_safe_path_component(), but in a separate helper since the usual error for empty path names is ENOENT instead of EINVAL. [1] https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap03.html#tag_03_170 [2] https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap04.html#tag_04_13 Signed-off-by: Greg Kurz <groug@kaod.org> Message-Id: <20210312141003.819108-4-groug@kaod.org> Reviewed-by: Connor Kuehl <ckuehl@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Diffstat (limited to 'tools/virtiofsd')
-rw-r--r--tools/virtiofsd/passthrough_ll.c35
1 files changed, 35 insertions, 0 deletions
diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
index 851c25e..b07101d 100644
--- a/tools/virtiofsd/passthrough_ll.c
+++ b/tools/virtiofsd/passthrough_ll.c
@@ -239,6 +239,11 @@ static int is_safe_path_component(const char *path)
return !is_dot_or_dotdot(path);
}
+static bool is_empty(const char *name)
+{
+ return name[0] == '\0';
+}
+
static struct lo_data *lo_data(fuse_req_t req)
{
return (struct lo_data *)fuse_req_userdata(req);
@@ -1085,6 +1090,11 @@ static void lo_lookup(fuse_req_t req, fuse_ino_t parent, const char *name)
fuse_log(FUSE_LOG_DEBUG, "lo_lookup(parent=%" PRIu64 ", name=%s)\n", parent,
name);
+ if (is_empty(name)) {
+ fuse_reply_err(req, ENOENT);
+ return;
+ }
+
/*
* Don't use is_safe_path_component(), allow "." and ".." for NFS export
* support.
@@ -1176,6 +1186,11 @@ static void lo_mknod_symlink(fuse_req_t req, fuse_ino_t parent,
struct fuse_entry_param e;
struct lo_cred old = {};
+ if (is_empty(name)) {
+ fuse_reply_err(req, ENOENT);
+ return;
+ }
+
if (!is_safe_path_component(name)) {
fuse_reply_err(req, EINVAL);
return;
@@ -1248,6 +1263,11 @@ static void lo_link(fuse_req_t req, fuse_ino_t ino, fuse_ino_t parent,
char procname[64];
int saverr;
+ if (is_empty(name)) {
+ fuse_reply_err(req, ENOENT);
+ return;
+ }
+
if (!is_safe_path_component(name)) {
fuse_reply_err(req, EINVAL);
return;
@@ -1326,6 +1346,11 @@ static void lo_rmdir(fuse_req_t req, fuse_ino_t parent, const char *name)
struct lo_inode *inode;
struct lo_data *lo = lo_data(req);
+ if (is_empty(name)) {
+ fuse_reply_err(req, ENOENT);
+ return;
+ }
+
if (!is_safe_path_component(name)) {
fuse_reply_err(req, EINVAL);
return;
@@ -1355,6 +1380,11 @@ static void lo_rename(fuse_req_t req, fuse_ino_t parent, const char *name,
struct lo_inode *newinode = NULL;
struct lo_data *lo = lo_data(req);
+ if (is_empty(name) || is_empty(newname)) {
+ fuse_reply_err(req, ENOENT);
+ return;
+ }
+
if (!is_safe_path_component(name) || !is_safe_path_component(newname)) {
fuse_reply_err(req, EINVAL);
return;
@@ -1408,6 +1438,11 @@ static void lo_unlink(fuse_req_t req, fuse_ino_t parent, const char *name)
struct lo_inode *inode;
struct lo_data *lo = lo_data(req);
+ if (is_empty(name)) {
+ fuse_reply_err(req, ENOENT);
+ return;
+ }
+
if (!is_safe_path_component(name)) {
fuse_reply_err(req, EINVAL);
return;