e-smith-lib/sme9/e-smith-lib-2.4.0-untaint_nic_names.patch

diff -Nur e-smith-lib-2.4.0/root/usr/share/perl5/vendor_perl/esmith/ethernet.pm e-smith-lib-2.4.0-untaint_nic_names/root/usr/share/perl5/vendor_perl/esmith/ethernet.pm
--- e-smith-lib-2.4.0/root/usr/share/perl5/vendor_perl/esmith/ethernet.pm       2013-03-04 11:33:43.173652411 +0100
+++ e-smith-lib-2.4.0-untaint_nic_names/root/usr/share/perl5/vendor_perl/esmith/ethernet.pm     2013-03-05 19:03:04.929704906 +0100
@@ -44,6 +44,9 @@
     my $adapters = '';
     my $index = 1;
     foreach my $nic (@nics){
+        # Untaint $nic and makes sure the name looks OK
+        next unless ($nic =~ m/^(\w+[\.:]?\d+)$/);
+        $nic = $1;
         next if (
             # skip loopback
             $nic eq 'lo' ||
@@ -67,6 +70,9 @@
         open HW, "/sys/class/net/$nic/address";
         my $mac = join("", <HW>);
         close HW;
+        # Check MAC Addr and untaint it
+        next unless ($mac =~ m/^(([\da-f]{2}:){5}[\da-f]{2})$/i);
+        $mac = $1;
         # If the device is a slave of a bridge, it's real MAC
         # address can be found in /proc/net/bonding/bondX
         if (-l "/sys/class/net/$nic/master"){
@@ -82,14 +88,21 @@
         }
         chomp($mac);
         my $driver = basename (readlink "/sys/class/net/$nic/device/driver");
+        # Untaint driver name
+        next unless ($driver =~ m/^([\w\-]+)$/);
+        $driver = $1;
         my $bus = basename (readlink "/sys/class/net/$nic/device/subsystem");
         my $desc = $nic;
         if ($bus eq 'pci'){
             my $dev = basename (readlink "/sys/class/net/$nic/device");
-            $desc = `/sbin/lspci -s $dev`;
-            # Extract only description 
-            $desc =~ m/^.*:.*:\s+(.*)\s*/;
-            $desc = $1;
+            # Untaint $dev
+            if ($dev =~ m/^(\d+:\d+:\d+\.\d+)$/){
+                $dev = $1;
+                $desc = `/sbin/lspci -s $dev`;
+                # Extract only description 
+                $desc =~ m/^.*:.*:\s+(.*)\s*/;
+                $desc = $1;
+            }
         }
         elsif ($bus eq 'virtio'){
             $desc = 'Virtio Network Device';
1	diff -Nur e-smith-lib-2.4.0/root/usr/share/perl5/vendor_perl/esmith/ethernet.pm e-smith-lib-2.4.0-untaint_nic_names/root/usr/share/perl5/vendor_perl/esmith/ethernet.pm
2	--- e-smith-lib-2.4.0/root/usr/share/perl5/vendor_perl/esmith/ethernet.pm 2013-03-04 11:33:43.173652411 +0100
3	+++ e-smith-lib-2.4.0-untaint_nic_names/root/usr/share/perl5/vendor_perl/esmith/ethernet.pm 2013-03-05 19:03:04.929704906 +0100
4	@@ -44,6 +44,9 @@
5	my $adapters = '';
6	my $index = 1;
7	foreach my $nic (@nics){
8	+ # Untaint $nic and makes sure the name looks OK
9	+ next unless ($nic =~ m/^(\w+[\.:]?\d+)$/);
10	+ $nic = $1;
11	next if (
12	# skip loopback
13	$nic eq 'lo' \|\|
14	@@ -67,6 +70,9 @@
15	open HW, "/sys/class/net/$nic/address";
16	my $mac = join("", <HW>);
17	close HW;
18	+ # Check MAC Addr and untaint it
19	+ next unless ($mac =~ m/^(([\da-f]{2}:){5}[\da-f]{2})$/i);
20	+ $mac = $1;
21	# If the device is a slave of a bridge, it's real MAC
22	# address can be found in /proc/net/bonding/bondX
23	if (-l "/sys/class/net/$nic/master"){
24	@@ -82,14 +88,21 @@
25	}
26	chomp($mac);
27	my $driver = basename (readlink "/sys/class/net/$nic/device/driver");
28	+ # Untaint driver name
29	+ next unless ($driver =~ m/^([\w\-]+)$/);
30	+ $driver = $1;
31	my $bus = basename (readlink "/sys/class/net/$nic/device/subsystem");
32	my $desc = $nic;
33	if ($bus eq 'pci'){
34	my $dev = basename (readlink "/sys/class/net/$nic/device");
35	- $desc = `/sbin/lspci -s $dev`;
36	- # Extract only description
37	- $desc =~ m/^.:.:\s+(.)\s/;
38	- $desc = $1;
39	+ # Untaint $dev
40	+ if ($dev =~ m/^(\d+:\d+:\d+\.\d+)$/){
41	+ $dev = $1;
42	+ $desc = `/sbin/lspci -s $dev`;
43	+ # Extract only description
44	+ $desc =~ m/^.:.:\s+(.)\s/;
45	+ $desc = $1;
46	+ }
47	}
48	elsif ($bus eq 'virtio'){
49	$desc = 'Virtio Network Device';