diff options
| author | Florian Weimer <fweimer@redhat.com> | 2014-06-11 23:12:52 +0200 |
|---|---|---|
| committer | Florian Weimer <fweimer@redhat.com> | 2014-06-11 23:13:42 +0200 |
| commit | 89e435f3559c53084498e9baad22172b64429362 (patch) | |
| tree | 6bd069da0346ea8cb18e506b8e10252bc3a8b33a /posix/spawn_faction_destroy.c | |
| parent | c3a2ebe1f7541cc35937621e08c28ff88afd0845 (diff) | |
| download | glibc-89e435f3559c53084498e9baad22172b64429362.tar.gz glibc-89e435f3559c53084498e9baad22172b64429362.tar.xz glibc-89e435f3559c53084498e9baad22172b64429362.zip | |
posix_spawn_file_actions_addopen needs to copy the path argument (BZ 17048)
POSIX requires that we make a copy, so we allocate a new string and free it in posix_spawn_file_actions_destroy. Reported by David Reid, Alex Gaynor, and Glyph Lefkowitz. This bug may have security implications.
Diffstat (limited to 'posix/spawn_faction_destroy.c')
| -rw-r--r-- | posix/spawn_faction_destroy.c | 22 |
1 files changed, 20 insertions, 2 deletions
diff --git a/posix/spawn_faction_destroy.c b/posix/spawn_faction_destroy.c index 4d165aab01..1b87010717 100644 --- a/posix/spawn_faction_destroy.c +++ b/posix/spawn_faction_destroy.c @@ -18,11 +18,29 @@ #include <spawn.h> #include <stdlib.h> -/* Initialize data structure for file attribute for `spawn' call. */ +#include "spawn_int.h" + +/* Deallocate the file actions. */ int posix_spawn_file_actions_destroy (posix_spawn_file_actions_t *file_actions) { - /* Free the memory allocated. */ + /* Free the paths in the open actions. */ + for (int i = 0; i < file_actions->__used; ++i) + { + struct __spawn_action *sa = &file_actions->__actions[i]; + switch (sa->tag) + { + case spawn_do_open: + free (sa->action.open_action.path); + break; + case spawn_do_close: + case spawn_do_dup2: + /* No cleanup required. */ + break; + } + } + + /* Free the array of actions. */ free (file_actions->__actions); return 0; } |