godzil/sd2snes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Firmware: restrict directory traversal depth

Browse Source
This commit is contained in:
Maximilian Rehkopf
2011-08-20 22:00:01 +02:00
parent 63308d56bc
commit a0ae977945
2 changed files with 34 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

64
src/filetypes.c
View File

@@ -134,39 +134,41 @@ uint32_t scan_dir(char* path, char mkdb, uint32_t this_dir_tgt) {
fn = *fno.lfname ? fno.lfname : fno.fname; fn = *fno.lfname ? fno.lfname : fno.fname;
if ((*fn == '.') || !(memcmp(fn, SYS_DIR_NAME, sizeof(SYS_DIR_NAME)))) continue; if ((*fn == '.') || !(memcmp(fn, SYS_DIR_NAME, sizeof(SYS_DIR_NAME)))) continue;
if (fno.fattrib & AM_DIR) { if (fno.fattrib & AM_DIR) {
numentries++; depth++;
if(pass) { if(depth < FS_MAX_DEPTH) {
path[len]='/'; numentries++;
strncpy(path+len+1, (char*)fn, sizeof(fs_path)-len); if(pass) {
depth++; path[len]='/';
if(mkdb) { strncpy(path+len+1, (char*)fn, sizeof(fs_path)-len);
uint16_t pathlen = strlen(path); if(mkdb) {
/* write element pointer to current dir structure */ uint16_t pathlen = strlen(path);
printf("d=%d Saving %lx to Address %lx [dir]\n", depth, db_tgt, dir_tgt); /* write element pointer to current dir structure */
sram_writelong((db_tgt-SRAM_MENU_ADDR)|((uint32_t)0x80<<24), dir_tgt); printf("d=%d Saving %lx to Address %lx [dir]\n", depth, db_tgt, dir_tgt);
/* save element: sram_writelong((db_tgt-SRAM_MENU_ADDR)|((uint32_t)0x80<<24), dir_tgt);
- path name /* save element:
- pointer to sub dir structure */ - path name
if((db_tgt&0xffff) > ((0x10000-(sizeof(next_subdir_tgt) + sizeof(len) + pathlen + 2))&0xffff)) { - pointer to sub dir structure */
printf("switch! old=%lx ", db_tgt); if((db_tgt&0xffff) > ((0x10000-(sizeof(next_subdir_tgt) + sizeof(len) + pathlen + 2))&0xffff)) {
db_tgt &= 0xffff0000; printf("switch! old=%lx ", db_tgt);
db_tgt += 0x00010000; db_tgt &= 0xffff0000;
printf("new=%lx\n", db_tgt); db_tgt += 0x00010000;
printf("new=%lx\n", db_tgt);
}
printf(" Saving dir descriptor to %lx tgt=%lx, path=%s\n", db_tgt, next_subdir_tgt, path);
sram_writelong((next_subdir_tgt-SRAM_MENU_ADDR), db_tgt);
sram_writebyte(len+1, db_tgt+sizeof(next_subdir_tgt));
sram_writeblock(path, db_tgt+sizeof(next_subdir_tgt)+sizeof(len), pathlen);
sram_writeblock("/\0", db_tgt + sizeof(next_subdir_tgt) + sizeof(len) + pathlen, 2);
db_tgt += sizeof(next_subdir_tgt) + sizeof(len) + pathlen + 2;
} }
printf(" Saving dir descriptor to %lx tgt=%lx, path=%s\n", db_tgt, next_subdir_tgt, path); parent_tgt = this_dir_tgt;
sram_writelong((next_subdir_tgt-SRAM_MENU_ADDR), db_tgt); scan_dir(path, mkdb, next_subdir_tgt);
sram_writebyte(len+1, db_tgt+sizeof(next_subdir_tgt)); dir_tgt += 4;
sram_writeblock(path, db_tgt+sizeof(next_subdir_tgt)+sizeof(len), pathlen); was_empty = 0;
sram_writeblock("/\0", db_tgt + sizeof(next_subdir_tgt) + sizeof(len) + pathlen, 2);
db_tgt += sizeof(next_subdir_tgt) + sizeof(len) + pathlen + 2;
} }
parent_tgt = this_dir_tgt;
scan_dir(path, mkdb, next_subdir_tgt);
dir_tgt += 4;
was_empty = 0;
depth--;
path[len]=0;
} }
depth--;
path[len]=0;
} else { } else {
SNES_FTYPE type = determine_filetype((char*)fn); SNES_FTYPE type = determine_filetype((char*)fn);
if(type != TYPE_UNKNOWN) { if(type != TYPE_UNKNOWN) {
@@ -188,7 +190,7 @@ uint32_t scan_dir(char* path, char mkdb, uint32_t this_dir_tgt) {
file_close(); */ file_close(); */
/* write element pointer to current dir structure */ /* write element pointer to current dir structure */
/* printf("d=%d Saving %lX to Address %lX [file]\n", depth, db_tgt, dir_tgt); */ printf("d=%d Saving %lX to Address %lX [file %s]\n", depth, db_tgt, dir_tgt, path);
if((db_tgt&0xffff) > ((0x10000-(sizeof(len) + pathlen + sizeof(buf)-1 + 1))&0xffff)) { if((db_tgt&0xffff) > ((0x10000-(sizeof(len) + pathlen + sizeof(buf)-1 + 1))&0xffff)) {
printf("switch! old=%lx ", db_tgt); printf("switch! old=%lx ", db_tgt);
db_tgt &= 0xffff0000; db_tgt &= 0xffff0000;

1
src/filetypes.h
View File

@@ -29,6 +29,7 @@
#include "ff.h" #include "ff.h"
#define FS_MAX_DEPTH (10)
#define SYS_DIR_NAME ((const uint8_t*)"sd2snes") #define SYS_DIR_NAME ((const uint8_t*)"sd2snes")
typedef enum { typedef enum {
TYPE_UNKNOWN = 0, /* 0 */ TYPE_UNKNOWN = 0, /* 0 */