Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/libexec/mail.local Fix race condition in deliver(), fix reso...
details: https://anonhg.NetBSD.org/src/rev/891f7c1f93ad
branches: trunk
changeset: 816706:891f7c1f93ad
user: shm <shm%NetBSD.org@localhost>
date: Tue Jul 19 13:11:38 2016 +0000
description:
Fix race condition in deliver(), fix resource leak.
diffstat:
libexec/mail.local/mail.local.c | 52 +++++++++++++++++++++++++++++-----------
1 files changed, 38 insertions(+), 14 deletions(-)
diffs (108 lines):
diff -r 781b98e06bb2 -r 891f7c1f93ad libexec/mail.local/mail.local.c
--- a/libexec/mail.local/mail.local.c Tue Jul 19 09:27:40 2016 +0000
+++ b/libexec/mail.local/mail.local.c Tue Jul 19 13:11:38 2016 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: mail.local.c,v 1.26 2011/08/27 15:40:31 joerg Exp $ */
+/* $NetBSD: mail.local.c,v 1.27 2016/07/19 13:11:38 shm Exp $ */
/*-
* Copyright (c) 1990, 1993, 1994
@@ -36,7 +36,7 @@
#if 0
static char sccsid[] = "@(#)mail.local.c 8.22 (Berkeley) 6/21/95";
#else
-__RCSID("$NetBSD: mail.local.c,v 1.26 2011/08/27 15:40:31 joerg Exp $");
+__RCSID("$NetBSD: mail.local.c,v 1.27 2016/07/19 13:11:38 shm Exp $");
#endif
#endif /* not lint */
@@ -169,7 +169,8 @@
(void)fflush(fp);
if (ferror(fp))
logerr(EX_OSERR, "temporary file write error");
- fd = dup(fd);
+ if ((fd = dup(fd)) == -1)
+ logerr(EX_OSERR, "dup failed");
(void)fclose(fp);
return(fd);
}
@@ -177,10 +178,10 @@
static int
deliver(int fd, char *name, int lockfile)
{
- struct stat sb;
+ struct stat sb, nsb;
struct passwd pwres, *pw;
char pwbuf[1024];
- int created, mbfd, nr, nw, off, rval=EX_OK, lfd=-1;
+ int created = 0, mbfd, nr, nw, off, rval=EX_OK, lfd = -1;
char biffmsg[100], buf[8*1024], path[MAXPATHLEN], lpath[MAXPATHLEN];
off_t curoff;
@@ -210,22 +211,42 @@
}
}
- if (!(created = lstat(path, &sb)) &&
+ if ((lstat(path, &sb) != -1) &&
(sb.st_nlink != 1 || S_ISLNK(sb.st_mode))) {
logwarn("%s: linked file", path);
return(EX_OSERR);
}
if ((mbfd = open(path, O_APPEND|O_WRONLY|O_EXLOCK,
- S_IRUSR|S_IWUSR)) < 0) {
+ S_IRUSR|S_IWUSR)) != -1) {
+ /* create file */
if ((mbfd = open(path, O_APPEND|O_CREAT|O_WRONLY|O_EXLOCK,
- S_IRUSR|S_IWUSR)) < 0) {
+ S_IRUSR|S_IWUSR)) != -1) {
logwarn("%s: %s", path, strerror(errno));
- return(EX_OSERR);
+ rval = EX_OSERR;
+ goto bad;
+ }
+ created = 1;
+ } else {
+ /* opened existing file, check for TOCTTOU */
+ if (fstat(mbfd, &nsb) == -1) {
+ rval = EX_OSERR;
+ goto bad;
+ }
+
+ /* file is not what we expected */
+ if (nsb.st_ino != sb.st_ino || nsb.st_dev != sb.st_dev) {
+ rval = EX_OSERR;
+ goto bad;
}
}
- curoff = lseek(mbfd, 0, SEEK_END);
+ if ((curoff = lseek(mbfd, 0, SEEK_END)) == (off_t)-1) {
+ logwarn("%s: %s", path, strerror(errno));
+ rval = EX_OSERR;
+ goto bad;
+ }
+
(void)snprintf(biffmsg, sizeof biffmsg, "%s@%lld\n", name,
(long long)curoff);
if (lseek(fd, 0, SEEK_SET) == (off_t)-1) {
@@ -259,11 +280,14 @@
close(lfd);
}
}
- if (created)
- (void)fchown(mbfd, pw->pw_uid, pw->pw_gid);
- (void)fsync(mbfd); /* Don't wait for update. */
- (void)close(mbfd); /* Implicit unlock. */
+ if (mbfd >= 0) {
+ if (created)
+ (void)fchown(mbfd, pw->pw_uid, pw->pw_gid);
+
+ (void)fsync(mbfd); /* Don't wait for update. */
+ (void)close(mbfd); /* Implicit unlock. */
+ }
if (rval == EX_OK)
notifybiff(biffmsg);
Home |
Main Index |
Thread Index |
Old Index