diff options
author | Neels Hofmeyr <nhofmeyr@sysmocom.de> | 2016-08-18 03:53:09 +0200 |
---|---|---|
committer | Neels Hofmeyr <nhofmeyr@sysmocom.de> | 2016-10-14 11:39:49 +0000 |
commit | f7611c3ceea4afffeded41e287a3200a578e8a5b (patch) | |
tree | b76e8f94d697b510f01b10465df1dfd0fd0bf20b | |
parent | 38929c9131b606d074d438a6476c5b032badb46d (diff) |
fix gsn_restart file buffer overflow and missing path sep
Fix errors during gsn_restart file path composition:
- possible buffer overflow because the wrong remaining length was fed to
strncat().
- missing path separator: put restart file in dir/gsn_restart instead of
../dirgsn_restart.
This assumes that the path separator is '/'.
Use talloc_asprintf() to fix all filename length problems and shorten the code.
In order to free the allocated path, add a free_filename label, and jump there
instead of returning from the fopen("w") failure branch. Also don't return from
"fclose failed" branch in order to free the path, remove the if {} braces.
Change-Id: Idf0a64ff45720aa818f2f9de1e8ba2fe2c82631b
-rw-r--r-- | gtp/gtp.c | 16 |
1 files changed, 7 insertions, 9 deletions
@@ -646,13 +646,11 @@ static void log_restart(struct gsn_t *gsn) FILE *f; int i, rc; int counter = 0; - char filename[NAMESIZE]; - - filename[NAMESIZE - 1] = 0; /* No null term. guarantee by strncpy */ - strncpy(filename, gsn->statedir, NAMESIZE - 1); - strncat(filename, RESTART_FILE, NAMESIZE - 1 - sizeof(RESTART_FILE)); + char *filename; i = umask(022); + filename = talloc_asprintf(NULL, "%s/%s", gsn->statedir, RESTART_FILE); + OSMO_ASSERT(filename); /* We try to open file. On failure we will later try to create file */ if (!(f = fopen(filename, "r"))) { @@ -680,17 +678,17 @@ static void log_restart(struct gsn_t *gsn) LOGP(DLGTP, LOGL_ERROR, "fopen(path=%s, mode=%s) failed: Error = %s\n", filename, "w", strerror(errno)); - return; + goto free_filename; } umask(i); fprintf(f, "%d\n", gsn->restart_counter); close_file: - if (fclose(f)) { + if (fclose(f)) LOGP(DLGTP, LOGL_ERROR, "fclose failed: Error = %s\n", strerror(errno)); - return; - } +free_filename: + talloc_free(filename); } int gtp_new(struct gsn_t **gsn, char *statedir, struct in_addr *listen, |