ltp
ltp copied to clipboard
linux-test-project
Fix buffer overflow in tst_tmpdir.c
I have identified these issues through static auditing and would like to provide a brief report. Considering this is a test tool, the impact of not fixing them may be minimal, but they are still worth noting:
1.Using sprintf without length checking may lead to buffer overflow. https://github.com/linux-test-project/ltp/blob/master/lib/tst_tmpdir.c#L186
2.Missing fclose(f) in the return path causes resource leaks. https://github.com/linux-test-project/ltp/blob/master/lib/safe_file_ops.c#L146 https://github.com/linux-test-project/ltp/blob/master/lib/safe_file_ops.c#L153 https://github.com/linux-test-project/ltp/blob/master/lib/safe_file_ops.c#L274
The missing fclose() does not actually leak anything, because tst_brkm_() ends up calling exit(). The return in the code is there only for the case where a test is in the cleanup() callback, where we do want to finish the cleanup even if error has happened and tst_brkm_() skips calling exit() in that case. However cleanup() is called at the end of the test and the test exits once cleanup() is finished. In summary in this case the static analysis is not smart enough to understand the complexity of the code.
The buffer overflow in tst_tmpdir.c should be fixed. I suppose that the best option would be passing dirfd to the rmobj() and use openat() instead of open() there.
