[Ada] [Security] Patch for buffer overflow in __gnat_tmp_name()

Florian Weimer fw@deneb.enyo.de
Sun Feb 10 08:23:00 GMT 2002


The patch below removes a security vulnerability in __gnat_tmp_name().
I decided to not honour the TMPDIR at all (in contrast to a previous
submission) because redirecting temporary files to arbitrary
directories can have harmful effects.  If the temporary file cannot be
created, a null string is returned, to signal an error.  This removes
a subtle race condition.

Bootstrapped on GNU/Linux, x86, and tested if temporary files are
still created correctly.

2002-02-10  Florian Weimer  <fw@deneb.enyo.de>

	* adaint.c (__gnat_tmp_name): Remove buffer overlow.

Index: adaint.c
===================================================================
RCS file: /cvs/gcc/egcs/gcc/ada/adaint.c,v
retrieving revision 1.7
diff -c -3 -p -r1.7 adaint.c
*** adaint.c	2002/02/07 23:53:29	1.7
--- adaint.c	2002/02/10 11:49:38
*************** __gnat_tmp_name (tmp_filename)
*** 708,721 ****
      free (pname);
    }
  #elif defined (linux)
!   char *tmpdir = getenv ("TMPDIR");
! 
!   if (tmpdir == NULL)
      strcpy (tmp_filename, "/tmp/gnat-XXXXXX");
!   else
!     sprintf (tmp_filename, "%s/gnat-XXXXXX", tmpdir);
! 
!   close (mkstemp(tmp_filename));
  #else
    tmpnam (tmp_filename);
  #endif
--- 708,722 ----
      free (pname);
    }
  #elif defined (linux)
!   {
!     int fd;
      strcpy (tmp_filename, "/tmp/gnat-XXXXXX");
!     fd = mkstemp (tmp_filename);
!     if (fd < 0)
!       strcpy (tmp_filename, "");
!     else
!       close (fd);
!   }
  #else
    tmpnam (tmp_filename);
  #endif



More information about the Gcc-patches mailing list