Properly handle shm_open validation. Fixes bug 16274.

[platform/upstream/glibc.git] / sysdeps / unix / sysv / linux / shm_open.c

diff --git a/sysdeps/unix/sysv/linux/shm_open.c b/sysdeps/unix/sysv/linux/shm_open.c
index 0628427..7bb2874 100644 (file)
--- a/sysdeps/unix/sysv/linux/shm_open.c
+++ b/sysdeps/unix/sysv/linux/shm_open.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2000-2004,2006,2007 Free Software Foundation, Inc.
+/* Copyright (C) 2000-2013 Free Software Foundation, Inc.
    This file is part of the GNU C Library.
 
    The GNU C Library is free software; you can redistribute it and/or
@@ -12,9 +12,8 @@
    Lesser General Public License for more details.
 
    You should have received a copy of the GNU Lesser General Public
-   License along with the GNU C Library; if not, write to the Free
-   Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
-   02111-1307 USA.  */
+   License along with the GNU C Library; if not, see
+   <http://www.gnu.org/licenses/>.  */
 
 #include <errno.h>
 #include <fcntl.h>
@@ -87,11 +86,7 @@ where_is_shmfs (void)
   while ((mp = __getmntent_r (fp, &resmem, buf, sizeof buf)) != NULL)
     /* The original name is "shm" but this got changed in early Linux
        2.4.x to "tmpfs".  */
-    if (strcmp (mp->mnt_type, "tmpfs") == 0
-#ifndef __ASSUME_TMPFS_NAME
-       || strcmp (mp->mnt_type, "shm") == 0
-#endif
-       )
+    if (strcmp (mp->mnt_type, "tmpfs") == 0)
       {
        /* Found it.  There might be more than one place where the
            filesystem is mounted but one is enough for us.  */
@@ -153,14 +148,15 @@ shm_open (const char *name, int oflag, mode_t mode)
   while (name[0] == '/')
     ++name;
 
-  if (name[0] == '\0')
+  namelen = strlen (name);
+
+  /* Validate the filename.  */
+  if (name[0] == '\0' || namelen > NAME_MAX || strchr (name, '/') != NULL)
     {
-      /* The name "/" is not supported.  */
       __set_errno (EINVAL);
       return -1;
     }
 
-  namelen = strlen (name);
   fname = (char *) alloca (mountpoint.dirlen + namelen + 1);
   __mempcpy (__mempcpy (fname, mountpoint.dir, mountpoint.dirlen),
             name, namelen + 1);
@@ -187,7 +183,7 @@ shm_open (const char *name, int oflag, mode_t mode)
 
          if (__builtin_expect (flags, 0) >= 0)
            {
-# ifndef O_CLOEXEC
+# ifdef O_CLOEXEC
              if (have_o_cloexec == 0)
                have_o_cloexec = (flags & FD_CLOEXEC) == 0 ? -1 : 1;
              if (have_o_cloexec < 0)
@@ -242,14 +238,15 @@ shm_unlink (const char *name)
   while (name[0] == '/')
     ++name;
 
-  if (name[0] == '\0')
+  namelen = strlen (name);
+
+  /* Validate the filename.  */
+  if (name[0] == '\0' || namelen > NAME_MAX || strchr (name, '/') != NULL)
     {
-      /* The name "/" is not supported.  */
       __set_errno (ENOENT);
       return -1;
     }
 
-  namelen = strlen (name);
   fname = (char *) alloca (mountpoint.dirlen + namelen + 1);
   __mempcpy (__mempcpy (fname, mountpoint.dir, mountpoint.dirlen),
             name, namelen + 1);