diff options
| author | trawick <trawick@13f79535-47bb-0310-9956-ffa450edef68> | 2015-04-25 11:51:04 +0000 |
|---|---|---|
| committer | trawick <trawick@13f79535-47bb-0310-9956-ffa450edef68> | 2015-04-25 11:51:04 +0000 |
| commit | 1fa5fa560bdf6cac3a4ee57f0673e2fadd4c0224 (patch) | |
| tree | 74a93df18538600dc7a035e167c062c12c9306f3 | |
| parent | bea048834f963e7f8d94ff43fae824cfc4222d3e (diff) | |
| download | libapr-1fa5fa560bdf6cac3a4ee57f0673e2fadd4c0224.tar.gz | |
Merge r1676013 from trunk:
SECURITY: CVE-2015-1829 (cve.mitre.org)
APR applications using APR named pipe support on Windows can be
vulnerable to a pipe squatting attack from a local process; the extent
of the vulnerability, when present, depends on the application.
Initial analysis and report was provided by John Hernandez of Casaba
Security via HP SSRT Security Alert.
Submitted by: ylavic
git-svn-id: http://svn.apache.org/repos/asf/apr/apr/branches/1.5.x@1676015 13f79535-47bb-0310-9956-ffa450edef68
| -rw-r--r-- | file_io/win32/pipe.c | 36 |
1 files changed, 33 insertions, 3 deletions
diff --git a/file_io/win32/pipe.c b/file_io/win32/pipe.c index a26376217..c7ea8bcb6 100644 --- a/file_io/win32/pipe.c +++ b/file_io/win32/pipe.c @@ -18,6 +18,7 @@ #include "apr_file_io.h" #include "apr_general.h" #include "apr_strings.h" +#include "apr_escape.h" #if APR_HAVE_ERRNO_H #include <errno.h> #endif @@ -82,7 +83,6 @@ APR_DECLARE(apr_status_t) apr_file_pipe_create_ex(apr_file_t **in, static unsigned long id = 0; DWORD dwPipeMode; DWORD dwOpenMode; - char name[50]; sa.nLength = sizeof(sa); @@ -127,8 +127,26 @@ APR_DECLARE(apr_status_t) apr_file_pipe_create_ex(apr_file_t **in, (void) apr_pollset_create(&(*out)->pollset, 1, p, 0); #endif if (apr_os_level >= APR_WIN_NT) { + char rand[8]; + int pid = getpid(); +#define FMT_PIPE_NAME "\\\\.\\pipe\\apr-pipe-%x.%lx." + /* ^ ^ ^ + * pid | | + * | | + * id | + * | + * hex-escaped rand[8] (16 bytes) + */ + char name[sizeof FMT_PIPE_NAME + 2 * sizeof(pid) + + 2 * sizeof(id) + + 2 * sizeof(rand)]; + apr_size_t pos; + /* Create the read end of the pipe */ dwOpenMode = PIPE_ACCESS_INBOUND; +#ifdef FILE_FLAG_FIRST_PIPE_INSTANCE + dwOpenMode |= FILE_FLAG_FIRST_PIPE_INSTANCE; +#endif if (blocking == APR_WRITE_BLOCK /* READ_NONBLOCK */ || blocking == APR_FULL_NONBLOCK) { dwOpenMode |= FILE_FLAG_OVERLAPPED; @@ -136,10 +154,11 @@ APR_DECLARE(apr_status_t) apr_file_pipe_create_ex(apr_file_t **in, (*in)->pOverlapped->hEvent = CreateEvent(NULL, FALSE, FALSE, NULL); (*in)->timeout = 0; } - dwPipeMode = 0; - sprintf(name, "\\\\.\\pipe\\apr-pipe-%u.%lu", getpid(), id++); + apr_generate_random_bytes(rand, sizeof rand); + pos = apr_snprintf(name, sizeof name, FMT_PIPE_NAME, pid, id++); + apr_escape_hex(name + pos, rand, sizeof rand, 0, NULL); (*in)->filehand = CreateNamedPipe(name, dwOpenMode, @@ -149,6 +168,11 @@ APR_DECLARE(apr_status_t) apr_file_pipe_create_ex(apr_file_t **in, 65536, /* nInBufferSize, */ 1, /* nDefaultTimeOut, */ &sa); + if ((*in)->filehand == INVALID_HANDLE_VALUE) { + apr_status_t rv = apr_get_os_error(); + file_cleanup(*in); + return rv; + } /* Create the write end of the pipe */ dwOpenMode = FILE_ATTRIBUTE_NORMAL; @@ -167,6 +191,12 @@ APR_DECLARE(apr_status_t) apr_file_pipe_create_ex(apr_file_t **in, OPEN_EXISTING, /* dwCreationDisposition */ dwOpenMode, /* Pipe attributes */ NULL); /* handle to template file */ + if ((*out)->filehand == INVALID_HANDLE_VALUE) { + apr_status_t rv = apr_get_os_error(); + file_cleanup(*out); + file_cleanup(*in); + return rv; + } } else { /* Pipes on Win9* are blocking. Live with it. */ |