diff options
author | Ahmad Fatoum <a.fatoum@pengutronix.de> | 2023-11-22 18:03:23 +0100 |
---|---|---|
committer | Sascha Hauer <s.hauer@pengutronix.de> | 2023-12-13 14:45:22 +0100 |
commit | 6cb38a3d46edc3a64fc1f1660d2632cc84f0a8d9 (patch) | |
tree | 3d0201e0b9b4cd39340a1c28cc54e32136ee0ff4 /lib | |
parent | 451a7ab16b695a852719c851f4dc3a85c95f6de4 (diff) | |
download | barebox-6cb38a3d46edc3a64fc1f1660d2632cc84f0a8d9.tar.gz barebox-6cb38a3d46edc3a64fc1f1660d2632cc84f0a8d9.tar.xz |
uncompress: skip dentry cache in uncompress_buf_to_buf
make_temp() creates a named temporary file, which even after deletion
will keep a negative dentry cache entry that's never freed.
As we don't use the file name for anything, we can just get our
temporary file via open(O_TMPFILE), which won't involve the dentry cache
at all and thereby avoiding leaking memory when fuzzing uncompress_buf_to_buf.
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
Link: https://lore.barebox.org/20231122170323.15175-3-a.fatoum@pengutronix.de
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Diffstat (limited to 'lib')
-rw-r--r-- | lib/uncompress.c | 36 |
1 files changed, 16 insertions, 20 deletions
diff --git a/lib/uncompress.c b/lib/uncompress.c index 71ac882b87..bfe042fcf8 100644 --- a/lib/uncompress.c +++ b/lib/uncompress.c @@ -185,30 +185,26 @@ int uncompress_buf_to_fd(const void *input, size_t input_len, ssize_t uncompress_buf_to_buf(const void *input, size_t input_len, void **buf, void(*error_fn)(char *x)) { - char *dstpath; size_t size; - int outfd, ret; + int fd, ret; + void *p; - dstpath = make_temp("data-uncompressed"); - if (!dstpath) - return -ENOMEM; + fd = open("/tmp", O_TMPFILE | O_RDWR); + if (fd < 0) + return -ENODEV; - outfd = open(dstpath, O_CREAT | O_WRONLY); - if (outfd < 0) { - ret = -ENODEV; - goto free_temp; - } - - ret = uncompress_buf_to_fd(input, input_len, outfd, error_fn); + ret = uncompress_buf_to_fd(input, input_len, fd, error_fn); if (ret) - goto close_outfd; - - *buf = read_file(dstpath, &size); -close_outfd: - close(outfd); - unlink(dstpath); -free_temp: - free(dstpath); + goto close_fd; + + p = read_fd(fd, &size); + if (p) + *buf = p; + else + ret = -errno; + +close_fd: + close(fd); return ret ?: size; } |