From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 32275 invoked by alias); 6 May 2009 09:14:22 -0000 Received: (qmail 32268 invoked by alias); 6 May 2009 09:14:21 -0000 X-SWARE-Spam-Status: No, hits=-1.8 required=5.0 tests=AWL,BAYES_00,SPF_HELO_PASS X-Spam-Status: No, hits=-1.8 required=5.0 tests=AWL,BAYES_00,SPF_HELO_PASS X-Spam-Check-By: sourceware.org X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on bastion2.fedora.phx.redhat.com Subject: cluster: RHEL5 - ccs_tool: randomize temporary file To: cluster-cvs-relay@redhat.com X-Project: Cluster Project X-Git-Module: cluster.git X-Git-Refname: refs/heads/RHEL5 X-Git-Reftype: branch X-Git-Oldrev: c91d2c721a2dc1af8da48acd64849ba513a8a9fe X-Git-Newrev: b07fe54c617838b9d281666dee9acffbf64c1d94 From: Christine Caulfield Message-Id: <20090506091317.C3638120364@lists.fedorahosted.org> Date: Wed, 06 May 2009 09:14:00 -0000 X-Scanned-By: MIMEDefang 2.58 on 172.16.52.254 Mailing-List: contact cluster-cvs-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Post: List-Help: , Sender: cluster-cvs-owner@sourceware.org X-SW-Source: 2009-q2/txt/msg00224.txt.bz2 Gitweb: http://git.fedorahosted.org/git/cluster.git?p=cluster.git;a=commitdiff;h=b07fe54c617838b9d281666dee9acffbf64c1d94 Commit: b07fe54c617838b9d281666dee9acffbf64c1d94 Parent: c91d2c721a2dc1af8da48acd64849ba513a8a9fe Author: Fabio M. Di Nitto AuthorDate: Thu Oct 30 13:21:38 2008 +0100 Committer: Christine Caulfield CommitterDate: Wed May 6 10:12:13 2009 +0100 ccs_tool: randomize temporary file by using a static path to /tmp, the operation can be used to trigger a local DoS by a normal user. Switch to mkostemp(3). Signed-off-by: Fabio M. Di Nitto --- ccs/ccs_tool/upgrade.c | 7 ++++--- 1 files changed, 4 insertions(+), 3 deletions(-) diff --git a/ccs/ccs_tool/upgrade.c b/ccs/ccs_tool/upgrade.c index f8759ae..2dc7f35 100644 --- a/ccs/ccs_tool/upgrade.c +++ b/ccs/ccs_tool/upgrade.c @@ -193,7 +193,7 @@ static void ccs_dh_in(ccs_dh_t *dh, char *buf){ static int upgrade_device_archive(char *location){ int error = 0; int dev_fd=-1, tmp_fd=-1; - char tmp_file[64]; + char tmp_file[128]; void *buffer = NULL; char *buffer_p; ccs_dh_t dev_header; @@ -231,9 +231,10 @@ static int upgrade_device_archive(char *location){ goto fail; } - sprintf(tmp_file, "/tmp/tmp_%d", getpid()); + memset(tmp_file, 0, 128); + sprintf(tmp_file, "/tmp/ccs_tool_tmp_XXXXXX"); - tmp_fd = open(tmp_file, O_RDWR | O_CREAT |O_TRUNC, S_IRUSR|S_IWUSR); + tmp_fd = mkostemp(tmp_file, O_RDWR | O_CREAT |O_TRUNC); if(tmp_fd < 0){ fprintf(stderr, "Unable to create temporary archive: %s\n", strerror(errno)); error = -errno;