[Ada] [Security] Patch for buffer overflow in __gnat_tmp_name()
Florian Weimer
fw@deneb.enyo.de
Sun Feb 10 08:23:00 GMT 2002
The patch below removes a security vulnerability in __gnat_tmp_name().
I decided to not honour the TMPDIR at all (in contrast to a previous
submission) because redirecting temporary files to arbitrary
directories can have harmful effects. If the temporary file cannot be
created, a null string is returned, to signal an error. This removes
a subtle race condition.
Bootstrapped on GNU/Linux, x86, and tested if temporary files are
still created correctly.
2002-02-10 Florian Weimer <fw@deneb.enyo.de>
* adaint.c (__gnat_tmp_name): Remove buffer overlow.
Index: adaint.c
===================================================================
RCS file: /cvs/gcc/egcs/gcc/ada/adaint.c,v
retrieving revision 1.7
diff -c -3 -p -r1.7 adaint.c
*** adaint.c 2002/02/07 23:53:29 1.7
--- adaint.c 2002/02/10 11:49:38
*************** __gnat_tmp_name (tmp_filename)
*** 708,721 ****
free (pname);
}
#elif defined (linux)
! char *tmpdir = getenv ("TMPDIR");
!
! if (tmpdir == NULL)
strcpy (tmp_filename, "/tmp/gnat-XXXXXX");
! else
! sprintf (tmp_filename, "%s/gnat-XXXXXX", tmpdir);
!
! close (mkstemp(tmp_filename));
#else
tmpnam (tmp_filename);
#endif
--- 708,722 ----
free (pname);
}
#elif defined (linux)
! {
! int fd;
strcpy (tmp_filename, "/tmp/gnat-XXXXXX");
! fd = mkstemp (tmp_filename);
! if (fd < 0)
! strcpy (tmp_filename, "");
! else
! close (fd);
! }
#else
tmpnam (tmp_filename);
#endif
More information about the Gcc-patches
mailing list