about summary refs log tree commit diff
path: root/posix/tst-spawn.c
diff options
context:
space:
mode:
authorFlorian Weimer <fweimer@redhat.com>2014-06-11 23:12:52 +0200
committerFlorian Weimer <fweimer@redhat.com>2014-06-11 23:13:42 +0200
commit89e435f3559c53084498e9baad22172b64429362 (patch)
tree6bd069da0346ea8cb18e506b8e10252bc3a8b33a /posix/tst-spawn.c
parentc3a2ebe1f7541cc35937621e08c28ff88afd0845 (diff)
downloadglibc-89e435f3559c53084498e9baad22172b64429362.tar.gz
glibc-89e435f3559c53084498e9baad22172b64429362.tar.xz
glibc-89e435f3559c53084498e9baad22172b64429362.zip
posix_spawn_file_actions_addopen needs to copy the path argument (BZ 17048)
POSIX requires that we make a copy, so we allocate a new string
and free it in posix_spawn_file_actions_destroy.

Reported by David Reid, Alex Gaynor, and Glyph Lefkowitz.  This bug
may have security implications.
Diffstat (limited to 'posix/tst-spawn.c')
-rw-r--r--posix/tst-spawn.c10
1 files changed, 9 insertions, 1 deletions
diff --git a/posix/tst-spawn.c b/posix/tst-spawn.c
index 84cecf2945..6cd874a39a 100644
--- a/posix/tst-spawn.c
+++ b/posix/tst-spawn.c
@@ -168,6 +168,7 @@ do_test (int argc, char *argv[])
   char fd2name[18];
   char fd3name[18];
   char fd4name[18];
+  char *name3_copy;
   char *spargv[12];
   int i;
 
@@ -222,9 +223,15 @@ do_test (int argc, char *argv[])
    if (posix_spawn_file_actions_addclose (&actions, fd1) != 0)
      error (EXIT_FAILURE, errno, "posix_spawn_file_actions_addclose");
    /* We want to open the third file.  */
-   if (posix_spawn_file_actions_addopen (&actions, fd3, name3,
+   name3_copy = strdup (name3);
+   if (name3_copy == NULL)
+     error (EXIT_FAILURE, errno, "strdup");
+   if (posix_spawn_file_actions_addopen (&actions, fd3, name3_copy,
 					 O_RDONLY, 0666) != 0)
      error (EXIT_FAILURE, errno, "posix_spawn_file_actions_addopen");
+   /* Overwrite the name to check that a copy has been made.  */
+   memset (name3_copy, 'X', strlen (name3_copy));
+
    /* We dup the second descriptor.  */
    fd4 = MAX (2, MAX (fd1, MAX (fd2, fd3))) + 1;
    if (posix_spawn_file_actions_adddup2 (&actions, fd2, fd4) != 0)
@@ -253,6 +260,7 @@ do_test (int argc, char *argv[])
    /* Cleanup.  */
    if (posix_spawn_file_actions_destroy (&actions) != 0)
      error (EXIT_FAILURE, errno, "posix_spawn_file_actions_destroy");
+   free (name3_copy);
 
   /* Wait for the child.  */
   if (waitpid (pid, &status, 0) != pid)