Ensure that file names passed back by readdir do not include a '/'

character. The '/' char is the path separator and is not allowed in
any filename.

NFS specific report by Apple Security Engineering and Architecture (SEAR).

Input from guenther@ and millert@
OK beck@ miod@

2 files changed, 12 insertions, 3 deletions

diff --git a/sys/ufs/ext2fs/ext2fs_lookup.c b/sys/ufs/ext2fs/ext2fs_lookup.c
index 36e182465c5..435f8c7c662 100644
--- a/sys/ufs/ext2fs/ext2fs_lookup.c
+++ b/sys/ufs/ext2fs/ext2fs_lookup.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ext2fs_lookup.c,v 1.46 2022/01/11 03:13:59 jsg Exp $	*/
+/*	$OpenBSD: ext2fs_lookup.c,v 1.47 2024/09/12 09:04:51 claudio Exp $	*/
 /*	$NetBSD: ext2fs_lookup.c,v 1.16 2000/08/03 20:29:26 thorpej Exp $	*/
 
 /*
@@ -173,7 +173,11 @@ ext2fs_readdir(void *v)
 				break;
 			}
 			ext2fs_dirconv2ffs(dp, &dstd);
-			if(dstd.d_reclen > uio->uio_resid) {
+			if (memchr(dstd.d_name, '/', dstd.d_namlen) != NULL) {
+				error = EINVAL;
+				break;
+			}
+			if (dstd.d_reclen > uio->uio_resid) {
 				break;
 			}
 			dstd.d_off = off + e2d_reclen;
diff --git a/sys/ufs/ufs/ufs_vnops.c b/sys/ufs/ufs/ufs_vnops.c
index 098814a995a..289f745f55c 100644
--- a/sys/ufs/ufs/ufs_vnops.c
+++ b/sys/ufs/ufs/ufs_vnops.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ufs_vnops.c,v 1.162 2024/05/13 11:17:41 semarie Exp $	*/
+/*	$OpenBSD: ufs_vnops.c,v 1.163 2024/09/12 09:04:51 claudio Exp $	*/
 /*	$NetBSD: ufs_vnops.c,v 1.18 1996/05/11 18:28:04 mycroft Exp $	*/
 
 /*
@@ -1395,6 +1395,11 @@ ufs_readdir(void *v)
 		memset(u.dn.d_name + u.dn.d_namlen, 0, u.dn.d_reclen
 		    - u.dn.d_namlen - offsetof(struct dirent, d_name));
 
+		if (memchr(u.dn.d_name, '/', u.dn.d_namlen) != NULL) {
+			error = EINVAL;
+			break;
+		}
+
 		error = uiomove(&u.dn, u.dn.d_reclen, uio);
 		dp = (struct direct *)((char *)dp + dp->d_reclen);
 	}