Fix CVE-2020-7211: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7211 Patch copied from upstream dependency repository: https://gitlab.freedesktop.org/slirp/libslirp/commit/14ec36e107a8c9af7d0a80c3571fe39b291ff1d4 From 14ec36e107a8c9af7d0a80c3571fe39b291ff1d4 Mon Sep 17 00:00:00 2001 From: Prasad J Pandit Date: Mon, 13 Jan 2020 17:44:31 +0530 Subject: [PATCH] slirp: tftp: restrict relative path access tftp restricts relative or directory path access on Linux systems. Apply same restrictions on Windows systems too. It helps to avoid directory traversal issue. Fixes: https://bugs.launchpad.net/qemu/+bug/1812451 Reported-by: Peter Maydell Signed-off-by: Prasad J Pandit Reviewed-by: Samuel Thibault Message-Id: <20200113121431.156708-1-ppandit@redhat.com> --- src/tftp.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/src/tftp.c b/src/tftp.c index 093c2e0..e52e71b 100644 --- a/slirp/src/tftp.c +++ b/slirp/src/tftp.c @@ -344,8 +344,13 @@ static void tftp_handle_rrq(Slirp *slirp, struct sockaddr_storage *srcsas, k += 6; /* skipping octet */ /* do sanity checks on the filename */ - if (!strncmp(req_fname, "../", 3) || - req_fname[strlen(req_fname) - 1] == '/' || strstr(req_fname, "/../")) { + if ( +#ifdef G_OS_WIN32 + strstr(req_fname, "..\\") || + req_fname[strlen(req_fname) - 1] == '\\' || +#endif + strstr(req_fname, "../") || + req_fname[strlen(req_fname) - 1] == '/') { tftp_send_error(spt, 2, "Access violation", tp); return; } -- 2.24.1