Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

author: David S. Miller <davem@davemloft.net> 2016-02-01 18:44:07 -0800
committer: David S. Miller <davem@davemloft.net> 2016-02-01 18:44:07 -0800
commit: b45efa30a626e915192a6c548cd8642379cd47cc (patch)
tree: 90d8b43ebceb850b0e7852d75283aebbd2abbc00 /fs/coredump.c
parent: 7a26019fdecdb45ff784ae4e3b7e0cc9045100ca (diff)
parent: 34229b277480f46c1e9a19f027f30b074512e68b (diff)
1 files changed, 20 insertions, 0 deletions
diff --git a/fs/coredump.c b/fs/coredump.c
index b3c153ca435d..9ea87e9fdccf 100644
--- a/fs/coredump.c
+++ b/fs/coredump.c
@@ -118,6 +118,26 @@ int cn_esc_printf(struct core_name *cn, const char *fmt, ...)
 	ret = cn_vprintf(cn, fmt, arg);
 	va_end(arg);
 
+	if (ret == 0) {
+		/*
+		 * Ensure that this coredump name component can't cause the
+		 * resulting corefile path to consist of a ".." or ".".
+		 */
+		if ((cn->used - cur == 1 && cn->corename[cur] == '.') ||
+				(cn->used - cur == 2 && cn->corename[cur] == '.'
+				&& cn->corename[cur+1] == '.'))
+			cn->corename[cur] = '!';
+
+		/*
+		 * Empty names are fishy and could be used to create a "//" in a
+		 * corefile name, causing the coredump to happen one directory
+		 * level too high. Enforce that all components of the core
+		 * pattern are at least one character long.
+		 */
+		if (cn->used == cur)
+			ret = cn_printf(cn, "!");
+	}
+
 	for (; cur < cn->used; ++cur) {
 		if (cn->corename[cur] == '/')
 			cn->corename[cur] = '!';
author	David S. Miller <davem@davemloft.net>	2016-02-01 18:44:07 -0800
committer	David S. Miller <davem@davemloft.net>	2016-02-01 18:44:07 -0800
commit	b45efa30a626e915192a6c548cd8642379cd47cc (patch)
tree	90d8b43ebceb850b0e7852d75283aebbd2abbc00 /fs/coredump.c
parent	7a26019fdecdb45ff784ae4e3b7e0cc9045100ca (diff)
parent	34229b277480f46c1e9a19f027f30b074512e68b (diff)