Author: Lars Hjemli <hjemli@gmail.com>
cache_lock: do xstrdup/free on lockfile Since fmt() uses 8 alternating static buffers, and cache_lock might call cache_create_dirs() multiple times, which in turn might call fmt() twice, after four iterations lockfile would be overwritten by a cachedirectory path. In worst case, this could cause the cachedirectory to be unlinked and replaced by a cachefile. Fix: use xstrdup() on the result from fmt() before assigning to lockfile, and call free(lockfile) before exit. Signed-off-by: Lars Hjemli <hjemli@gmail.com>
cache.c | 3 ++-
diff --git a/cache.c b/cache.c index b947a34e8046b9a5169700cd1205356aac2d4fa7..39e63a52bc6e488ef20a988b83f28bcf5a0c2db1 100644 --- a/cache.c +++ b/cache.c @@ -74,7 +74,7 @@ int cache_lock(struct cacheitem *item) { int i = 0; - char *lockfile = fmt("%s.lock", item->name); + char *lockfile = xstrdup(fmt("%s.lock", item->name)); top: if (++i > cgit_max_lock_attempts) @@ -90,6 +90,7 @@ if (item->fd == NOLOCK && errno == EEXIST && cache_refill_overdue(lockfile) && !unlink(lockfile)) goto top; + free(lockfile); return (item->fd > 0); }