forked from Minki/linux
tomoyo: Limit wildcard recursion depth.
Since wildcards that need recursion consume kernel stack memory (or might cause CPU stall warning problem), we cannot allow infinite recursion. Since TOMOYO 1.8 survived with 20 recursions limit for 5 years, nobody would complain if applying this limit to TOMOYO 2.6. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
This commit is contained in:
Tetsuo Handa
parent
d9594e0409
commit
e991a40b3d
@ -434,59 +434,64 @@ void tomoyo_normalize_line(unsigned char *buffer)
|
|||||||
*/
|
*/
|
||||||
static bool tomoyo_correct_word2(const char *string, size_t len)
|
static bool tomoyo_correct_word2(const char *string, size_t len)
|
||||||
{
|
{
|
||||||
|
u8 recursion = 20;
|
||||||
const char *const start = string;
|
const char *const start = string;
|
||||||
bool in_repetition = false;
|
bool in_repetition = false;
|
||||||
unsigned char c;
|
|
||||||
unsigned char d;
|
|
||||||
unsigned char e;
|
|
||||||
|
|
||||||
if (!len)
|
if (!len)
|
||||||
goto out;
|
goto out;
|
||||||
while (len--) {
|
while (len--) {
|
||||||
c = *string++;
|
unsigned char c = *string++;
|
||||||
|
|
||||||
if (c == '\\') {
|
if (c == '\\') {
|
||||||
if (!len--)
|
if (!len--)
|
||||||
goto out;
|
goto out;
|
||||||
c = *string++;
|
c = *string++;
|
||||||
|
if (c >= '0' && c <= '3') {
|
||||||
|
unsigned char d;
|
||||||
|
unsigned char e;
|
||||||
|
|
||||||
|
if (!len-- || !len--)
|
||||||
|
goto out;
|
||||||
|
d = *string++;
|
||||||
|
e = *string++;
|
||||||
|
if (d < '0' || d > '7' || e < '0' || e > '7')
|
||||||
|
goto out;
|
||||||
|
c = tomoyo_make_byte(c, d, e);
|
||||||
|
if (c <= ' ' || c >= 127)
|
||||||
|
continue;
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
switch (c) {
|
switch (c) {
|
||||||
case '\\': /* "\\" */
|
case '\\': /* "\\" */
|
||||||
continue;
|
|
||||||
case '$': /* "\$" */
|
|
||||||
case '+': /* "\+" */
|
case '+': /* "\+" */
|
||||||
case '?': /* "\?" */
|
case '?': /* "\?" */
|
||||||
|
case 'x': /* "\x" */
|
||||||
|
case 'a': /* "\a" */
|
||||||
|
case '-': /* "\-" */
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
if (!recursion--)
|
||||||
|
goto out;
|
||||||
|
switch (c) {
|
||||||
case '*': /* "\*" */
|
case '*': /* "\*" */
|
||||||
case '@': /* "\@" */
|
case '@': /* "\@" */
|
||||||
case 'x': /* "\x" */
|
case '$': /* "\$" */
|
||||||
case 'X': /* "\X" */
|
case 'X': /* "\X" */
|
||||||
case 'a': /* "\a" */
|
|
||||||
case 'A': /* "\A" */
|
case 'A': /* "\A" */
|
||||||
case '-': /* "\-" */
|
|
||||||
continue;
|
continue;
|
||||||
case '{': /* "/\{" */
|
case '{': /* "/\{" */
|
||||||
if (string - 3 < start || *(string - 3) != '/')
|
if (string - 3 < start || *(string - 3) != '/')
|
||||||
break;
|
goto out;
|
||||||
in_repetition = true;
|
in_repetition = true;
|
||||||
continue;
|
continue;
|
||||||
case '}': /* "\}/" */
|
case '}': /* "\}/" */
|
||||||
if (*string != '/')
|
if (*string != '/')
|
||||||
break;
|
goto out;
|
||||||
if (!in_repetition)
|
if (!in_repetition)
|
||||||
break;
|
goto out;
|
||||||
in_repetition = false;
|
in_repetition = false;
|
||||||
continue;
|
continue;
|
||||||
case '0': /* "\ooo" */
|
|
||||||
case '1':
|
|
||||||
case '2':
|
|
||||||
case '3':
|
|
||||||
if (!len-- || !len--)
|
|
||||||
break;
|
|
||||||
d = *string++;
|
|
||||||
e = *string++;
|
|
||||||
if (d < '0' || d > '7' || e < '0' || e > '7')
|
|
||||||
break;
|
|
||||||
c = tomoyo_make_byte(c, d, e);
|
|
||||||
if (c <= ' ' || c >= 127)
|
|
||||||
continue;
|
|
||||||
}
|
}
|
||||||
goto out;
|
goto out;
|
||||||
} else if (in_repetition && c == '/') {
|
} else if (in_repetition && c == '/') {
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user