peterdelevoryas / rpms / qemu

Forked from rpms/qemu 2 years ago
Clone

Blame 0003-slirp-use-less-predictable-directory-name-in-tmp-for.patch

6fc650
From: Michael Tokarev <mjt@tls.msk.ru>
6fc650
Date: Thu, 28 May 2015 14:12:26 +0300
6fc650
Subject: [PATCH] slirp: use less predictable directory name in /tmp for smb
6fc650
 config (CVE-2015-4037)
6fc650
6fc650
In this version I used mkdtemp(3) which is:
6fc650
6fc650
        _BSD_SOURCE
6fc650
        || /* Since glibc 2.10: */
6fc650
            (_POSIX_C_SOURCE >= 200809L || _XOPEN_SOURCE >= 700)
6fc650
6fc650
(POSIX.1-2008), so should be available on systems we care about.
6fc650
6fc650
While at it, reset the resulting directory name within smb structure
6fc650
on error so cleanup function wont try to remove directory which we
6fc650
failed to create.
6fc650
6fc650
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
6fc650
Reviewed-by: Markus Armbruster <armbru@redhat.com>
6fc650
(cherry picked from commit 8b8f1c7e9ddb2e88a144638f6527bf70e32343e3)
6fc650
---
6fc650
 net/slirp.c | 7 +++----
6fc650
 1 file changed, 3 insertions(+), 4 deletions(-)
6fc650
6fc650
diff --git a/net/slirp.c b/net/slirp.c
6fc650
index 9bbed74..3090c10 100644
6fc650
--- a/net/slirp.c
6fc650
+++ b/net/slirp.c
6fc650
@@ -481,7 +481,6 @@ static void slirp_smb_cleanup(SlirpState *s)
6fc650
 static int slirp_smb(SlirpState* s, const char *exported_dir,
6fc650
                      struct in_addr vserver_addr)
6fc650
 {
6fc650
-    static int instance;
6fc650
     char smb_conf[128];
6fc650
     char smb_cmdline[128];
6fc650
     struct passwd *passwd;
6fc650
@@ -505,10 +504,10 @@ static int slirp_smb(SlirpState* s, const char *exported_dir,
6fc650
         return -1;
6fc650
     }
6fc650
 
6fc650
-    snprintf(s->smb_dir, sizeof(s->smb_dir), "/tmp/qemu-smb.%ld-%d",
6fc650
-             (long)getpid(), instance++);
6fc650
-    if (mkdir(s->smb_dir, 0700) < 0) {
6fc650
+    snprintf(s->smb_dir, sizeof(s->smb_dir), "/tmp/qemu-smb.XXXXXX");
6fc650
+    if (!mkdtemp(s->smb_dir)) {
6fc650
         error_report("could not create samba server dir '%s'", s->smb_dir);
6fc650
+        s->smb_dir[0] = 0;
6fc650
         return -1;
6fc650
     }
6fc650
     snprintf(smb_conf, sizeof(smb_conf), "%s/%s", s->smb_dir, "smb.conf");