From: David Goulet Date: Tue, 25 Feb 2014 19:45:08 +0000 (-0500) Subject: Fix: forbid session name creation if contains / X-Git-Tag: v2.3.2~4 X-Git-Url: https://git.lttng.org./?a=commitdiff_plain;h=beb7c14849e4c7973ff94e61787989173e84ca4e;p=lttng-tools.git Fix: forbid session name creation if contains / This adds a validation function for session name which for now denies any session name containing '/'. This is in response of bug #721 that actually uses a path as a session name such as "test/../session1" which would then be concatenated to the session path adding a relative path to it making this a serious security issue. Because of this issue, this is backported from master up to stable-2.3. Fixes #721 Signed-off-by: David Goulet --- diff --git a/doc/man/lttng.1 b/doc/man/lttng.1 index 0f9cd9c51..f97452ed8 100644 --- a/doc/man/lttng.1 +++ b/doc/man/lttng.1 @@ -233,6 +233,8 @@ The $HOME environment variable can be overridden by defining the environment variable LTTNG_HOME. This is useful when the user running the commands has a non-writeable home directory. +The session name MUST NOT contain the character '/'. + .B OPTIONS: .TP diff --git a/include/lttng/lttng-error.h b/include/lttng/lttng-error.h index a94fcd697..db0a11ffa 100644 --- a/include/lttng/lttng-error.h +++ b/include/lttng/lttng-error.h @@ -103,7 +103,7 @@ enum lttng_error_code { LTTNG_ERR_UST_STREAM_FAIL = 70, /* UST create stream failed */ LTTNG_ERR_SNAPSHOT_NODATA = 71, /* No data in snapshot. */ LTTNG_ERR_NO_CHANNEL = 72, /* No channel found in the session. */ - /* 73 */ + LTTNG_ERR_SESSION_INVALID_CHAR = 73, /* Invalid characters found in session name. */ LTTNG_ERR_UST_LIST_FAIL = 74, /* UST listing events failed */ LTTNG_ERR_UST_EVENT_EXIST = 75, /* UST event exist */ LTTNG_ERR_UST_EVENT_NOT_FOUND = 76, /* UST event not found */ diff --git a/src/bin/lttng-sessiond/session.c b/src/bin/lttng-sessiond/session.c index a777b0414..def0e9c6f 100644 --- a/src/bin/lttng-sessiond/session.c +++ b/src/bin/lttng-sessiond/session.c @@ -49,6 +49,42 @@ static struct ltt_session_list ltt_session_list = { .next_uuid = 0, }; +/* These characters are forbidden in a session name. Used by validate_name. */ +static const char *forbidden_name_chars = "/"; + +/* + * Validate the session name for forbidden characters. + * + * Return 0 on success else -1 meaning a forbidden char. has been found. + */ +static int validate_name(const char *name) +{ + int ret; + char *tok, *tmp_name; + + assert(name); + + tmp_name = strdup(name); + if (!tmp_name) { + /* ENOMEM here. */ + ret = -1; + goto error; + } + + tok = strpbrk(tmp_name, forbidden_name_chars); + if (tok) { + DBG("Session name %s contains a forbidden character", name); + /* Forbidden character has been found. */ + ret = -1; + goto error; + } + ret = 0; + +error: + free(tmp_name); + return ret; +} + /* * Add a ltt_session structure to the global list. * @@ -194,6 +230,12 @@ int session_create(char *name, uid_t uid, gid_t gid) goto error; } + ret = validate_name(name); + if (ret < 0) { + ret = LTTNG_ERR_SESSION_INVALID_CHAR; + goto error; + } + /* Init kernel session */ new_session->kernel_session = NULL; new_session->ust_session = NULL; diff --git a/src/common/error.c b/src/common/error.c index 6c5aca65b..34daa4ca0 100644 --- a/src/common/error.c +++ b/src/common/error.c @@ -115,6 +115,7 @@ static const char *error_string_array[] = { [ ERROR_INDEX(LTTNG_ERR_SNAPSHOT_FAIL) ] = "Snapshot record failed", [ ERROR_INDEX(LTTNG_ERR_SNAPSHOT_NODATA) ] = "No data available in snapshot", [ ERROR_INDEX(LTTNG_ERR_NO_CHANNEL) ] = "No channel found in the session", + [ ERROR_INDEX(LTTNG_ERR_SESSION_INVALID_CHAR) ] = "Invalid character found in session name", /* Last element */ [ ERROR_INDEX(LTTNG_ERR_NR) ] = "Unknown error code"