1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
|
From f27b8dba73295cb5296a50f2c19c0739b502eb94 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Fri, 24 Nov 2023 09:46:32 +0100
Subject: [PATCH] fopen: allocate the dir after fopen
Move the allocation of the directory name down to after the fopen() call
to allow that shortcut code path to avoid a superfluous malloc+free
cycle.
Follow-up to 73b65e94f35311
Closes #12398
CVE: CVE-2023-46219
Upstream-Status: Backport [https://github.com/curl/curl/commit/f27b8dba73295cb529]
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
---
lib/fopen.c | 19 ++++++++-----------
1 file changed, 8 insertions(+), 11 deletions(-)
diff --git a/lib/fopen.c b/lib/fopen.c
index 1670e32..b663f8b 100644
--- a/lib/fopen.c
+++ b/lib/fopen.c
@@ -98,18 +98,13 @@ CURLcode Curl_fopen(struct Curl_easy *data, const char *filename,
char *tempstore = NULL;
struct_stat sb;
int fd = -1;
- char *dir;
+ char *dir = NULL;
*tempname = NULL;
- dir = dirslash(filename);
- if(!dir)
- goto fail;
-
*fh = fopen(filename, FOPEN_WRITETEXT);
if(!*fh)
goto fail;
if(fstat(fileno(*fh), &sb) == -1 || !S_ISREG(sb.st_mode)){
- free(dir);
return CURLE_OK;
}
fclose(*fh);
@@ -119,9 +114,13 @@ CURLcode Curl_fopen(struct Curl_easy *data, const char *filename,
if(result)
goto fail;
- /* The temp file name should not end up too long for the target file
- system */
- tempstore = aprintf("%s%s.tmp", dir, randbuf);
+ dir = dirslash(filename);
+ if(dir) {
+ /* The temp file name should not end up too long for the target file
+ system */
+ tempstore = aprintf("%s%s.tmp", dir, randbuf);
+ free(dir);
+ }
if(!tempstore) {
result = CURLE_OUT_OF_MEMORY;
goto fail;
@@ -148,7 +147,6 @@ CURLcode Curl_fopen(struct Curl_easy *data, const char *filename,
if(!*fh)
goto fail;
- free(dir);
*tempname = tempstore;
return CURLE_OK;
@@ -161,7 +159,6 @@ fail:
free(tempstore);
*tempname = NULL;
- free(dir);
return result;
}
--
2.40.0
|
