diff options
| author | Florian Weimer <fweimer@redhat.com> | 2014-06-11 23:12:52 +0200 |
|---|---|---|
| committer | Florian Weimer <fweimer@redhat.com> | 2014-06-11 23:13:42 +0200 |
| commit | 89e435f3559c53084498e9baad22172b64429362 (patch) | |
| tree | 6bd069da0346ea8cb18e506b8e10252bc3a8b33a /posix/spawn_faction_addopen.c | |
| parent | c3a2ebe1f7541cc35937621e08c28ff88afd0845 (diff) | |
| download | glibc-89e435f3559c53084498e9baad22172b64429362.tar.gz glibc-89e435f3559c53084498e9baad22172b64429362.tar.xz glibc-89e435f3559c53084498e9baad22172b64429362.zip | |
posix_spawn_file_actions_addopen needs to copy the path argument (BZ 17048)
POSIX requires that we make a copy, so we allocate a new string and free it in posix_spawn_file_actions_destroy. Reported by David Reid, Alex Gaynor, and Glyph Lefkowitz. This bug may have security implications.
Diffstat (limited to 'posix/spawn_faction_addopen.c')
| -rw-r--r-- | posix/spawn_faction_addopen.c | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/posix/spawn_faction_addopen.c b/posix/spawn_faction_addopen.c index 47f62425b6..40800b8e6e 100644 --- a/posix/spawn_faction_addopen.c +++ b/posix/spawn_faction_addopen.c @@ -35,17 +35,24 @@ posix_spawn_file_actions_addopen (posix_spawn_file_actions_t *file_actions, if (fd < 0 || fd >= maxfd) return EBADF; + char *path_copy = strdup (path); + if (path_copy == NULL) + return ENOMEM; + /* Allocate more memory if needed. */ if (file_actions->__used == file_actions->__allocated && __posix_spawn_file_actions_realloc (file_actions) != 0) - /* This can only mean we ran out of memory. */ - return ENOMEM; + { + /* This can only mean we ran out of memory. */ + free (path_copy); + return ENOMEM; + } /* Add the new value. */ rec = &file_actions->__actions[file_actions->__used]; rec->tag = spawn_do_open; rec->action.open_action.fd = fd; - rec->action.open_action.path = path; + rec->action.open_action.path = path_copy; rec->action.open_action.oflag = oflag; rec->action.open_action.mode = mode; |