summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSascha Hauer <s.hauer@pengutronix.de>2018-08-30 12:06:42 +0200
committerSascha Hauer <s.hauer@pengutronix.de>2018-08-30 12:34:25 +0200
commit0909ed8f4b4c4aeadb8b39ecbe9462f58a8b9edd (patch)
tree3d336b1f6e4e7ee69cd2bfe1d47cf65d09a226b3
parent4e43a0f1e3d59b13e1cb389c8c30159eb0cf10a7 (diff)
downloadbarebox-0909ed8f4b4c4aeadb8b39ecbe9462f58a8b9edd.tar.gz
fs: tftp: fix memory hole
dpath() returns a pointer to an allocated string, so we have to free it. Put the pointer into our file private data and free it on close time. Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
-rw-r--r--fs/tftp.c17
1 files changed, 7 insertions, 10 deletions
diff --git a/fs/tftp.c b/fs/tftp.c
index 025edbf..bcb95bc 100644
--- a/fs/tftp.c
+++ b/fs/tftp.c
@@ -79,7 +79,7 @@ struct file_priv {
uint16_t last_block;
int state;
int err;
- const char *filename;
+ char *filename;
int filesize;
uint64_t resend_timeout;
uint64_t progress_timeout;
@@ -139,7 +139,7 @@ static int tftp_send(struct file_priv *priv)
"%d%c"
"blksize%c"
"1432",
- priv->filename, 0,
+ priv->filename + 1, 0,
0,
0,
TIMEOUT, 0,
@@ -374,16 +374,15 @@ static void tftp_handler(void *ctx, char *packet, unsigned len)
}
static struct file_priv *tftp_do_open(struct device_d *dev,
- int accmode, const char *filename)
+ int accmode, struct dentry *dentry)
{
+ struct fs_device_d *fsdev = dev_to_fs_device(dev);
struct file_priv *priv;
struct tftp_priv *tpriv = dev->priv;
int ret;
priv = xzalloc(sizeof(*priv));
- filename++;
-
switch (accmode & O_ACCMODE) {
case O_RDONLY:
priv->push = 0;
@@ -408,7 +407,7 @@ static struct file_priv *tftp_do_open(struct device_d *dev,
priv->block = 1;
priv->err = -EINVAL;
- priv->filename = filename;
+ priv->filename = dpath(dentry, fsdev->vfsmount.mnt_root);
priv->blocksize = TFTP_BLOCK_SIZE;
priv->block_requested = -1;
@@ -461,11 +460,8 @@ out:
static int tftp_open(struct device_d *dev, FILE *file, const char *filename)
{
struct file_priv *priv;
- struct fs_device_d *fsdev = dev_to_fs_device(dev);
-
- filename = dpath(file->dentry, fsdev->vfsmount.mnt_root);
- priv = tftp_do_open(dev, file->flags, filename);
+ priv = tftp_do_open(dev, file->flags, file->dentry);
if (IS_ERR(priv))
return PTR_ERR(priv);
@@ -507,6 +503,7 @@ static int tftp_do_close(struct file_priv *priv)
net_unregister(priv->tftp_con);
kfifo_free(priv->fifo);
+ free(priv->filename);
free(priv->buf);
free(priv);