From 2f602de35d44213d39581c59632aa8365348850b Mon Sep 17 00:00:00 2001
From: John Levon <john.levon@joyent.com>
Date: Tue, 21 Apr 2020 08:43:40 -0700
Subject: 12585 insufficient validation in svccfg for service name Reviewed by:
 Robert Mustacchi <rm@fingolfin.org> Reviewed by: Patrick Mooney
 <pmooney@pfmooney.com> Approved by: Dan McDonald <danmcd@joyent.com>

---
 usr/src/cmd/svc/svccfg/svccfg_xml.c | 26 +++++++++++++++++++++++++-
 1 file changed, 25 insertions(+), 1 deletion(-)

(limited to 'usr/src')

diff --git a/usr/src/cmd/svc/svccfg/svccfg_xml.c b/usr/src/cmd/svc/svccfg/svccfg_xml.c
index 13c7a90d12..c0810de2ab 100644
--- a/usr/src/cmd/svc/svccfg/svccfg_xml.c
+++ b/usr/src/cmd/svc/svccfg/svccfg_xml.c
@@ -23,7 +23,7 @@
  */
 /*
  * Copyright 2011 Nexenta Systems, Inc.  All rights reserved.
- * Copyright 2019 Joyent, Inc.
+ * Copyright 2020 Joyent, Inc.
  */
 
 
@@ -3403,6 +3403,28 @@ out:
 	return (rc);
 }
 
+/*
+ * Validate the svc:/-prefixed FMRI generated from the service name.
+ */
+static void
+validate_service_name(const entity_t *s)
+{
+	char *fmri;
+	int ftype;
+	const char *finst;
+
+	if ((fmri = uu_strdup(s->sc_fmri)) == NULL)
+		uu_die(gettext("couldn't allocate memory"));
+
+	if (scf_parse_fmri(fmri, &ftype, NULL, NULL, &finst, NULL, NULL) != 0 ||
+	    finst != NULL || ftype != SCF_FMRI_TYPE_SVC) {
+		uu_die(gettext("invalid value \"%s\": should be a bare "
+		    "service name\n"), s->sc_name);
+	}
+
+	uu_free(fmri);
+}
+
 /*
  * Translate a service element into an internal instance/property tree, added
  * to bundle.
@@ -3427,6 +3449,8 @@ lxml_get_service(bundle_t *bundle, xmlNodePtr svc, svccfg_op_t op)
 	s = internal_service_new((char *)xmlGetProp(svc,
 	    (xmlChar *)name_attr));
 
+	validate_service_name(s);
+
 	version = xmlGetProp(svc, (xmlChar *)version_attr);
 	s->sc_u.sc_service.sc_service_version = atol((const char *)version);
 	xmlFree(version);
-- 
cgit v1.2.3