diff options
author | Florian Weimer <fweimer@redhat.com> | 2014-06-11 23:12:52 +0200 |
---|---|---|
committer | Florian Weimer <fweimer@redhat.com> | 2014-06-11 23:13:42 +0200 |
commit | 89e435f3559c53084498e9baad22172b64429362 (patch) | |
tree | 6bd069da0346ea8cb18e506b8e10252bc3a8b33a /posix/tst-spawn.c | |
parent | c3a2ebe1f7541cc35937621e08c28ff88afd0845 (diff) | |
download | glibc-89e435f3559c53084498e9baad22172b64429362.tar.gz glibc-89e435f3559c53084498e9baad22172b64429362.tar.xz glibc-89e435f3559c53084498e9baad22172b64429362.zip |
posix_spawn_file_actions_addopen needs to copy the path argument (BZ 17048)
POSIX requires that we make a copy, so we allocate a new string and free it in posix_spawn_file_actions_destroy. Reported by David Reid, Alex Gaynor, and Glyph Lefkowitz. This bug may have security implications.
Diffstat (limited to 'posix/tst-spawn.c')
-rw-r--r-- | posix/tst-spawn.c | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/posix/tst-spawn.c b/posix/tst-spawn.c index 84cecf2945..6cd874a39a 100644 --- a/posix/tst-spawn.c +++ b/posix/tst-spawn.c @@ -168,6 +168,7 @@ do_test (int argc, char *argv[]) char fd2name[18]; char fd3name[18]; char fd4name[18]; + char *name3_copy; char *spargv[12]; int i; @@ -222,9 +223,15 @@ do_test (int argc, char *argv[]) if (posix_spawn_file_actions_addclose (&actions, fd1) != 0) error (EXIT_FAILURE, errno, "posix_spawn_file_actions_addclose"); /* We want to open the third file. */ - if (posix_spawn_file_actions_addopen (&actions, fd3, name3, + name3_copy = strdup (name3); + if (name3_copy == NULL) + error (EXIT_FAILURE, errno, "strdup"); + if (posix_spawn_file_actions_addopen (&actions, fd3, name3_copy, O_RDONLY, 0666) != 0) error (EXIT_FAILURE, errno, "posix_spawn_file_actions_addopen"); + /* Overwrite the name to check that a copy has been made. */ + memset (name3_copy, 'X', strlen (name3_copy)); + /* We dup the second descriptor. */ fd4 = MAX (2, MAX (fd1, MAX (fd2, fd3))) + 1; if (posix_spawn_file_actions_adddup2 (&actions, fd2, fd4) != 0) @@ -253,6 +260,7 @@ do_test (int argc, char *argv[]) /* Cleanup. */ if (posix_spawn_file_actions_destroy (&actions) != 0) error (EXIT_FAILURE, errno, "posix_spawn_file_actions_destroy"); + free (name3_copy); /* Wait for the child. */ if (waitpid (pid, &status, 0) != pid) |