From d009633d30f746b0f5c53442e5f37743653deb9d Mon Sep 17 00:00:00 2001
From: Eric Blake <eblake@redhat.com>
Date: Wed, 16 May 2007 20:06:08 +0000
Subject: Close security hole in tmpfile. * libc/stdio/tmpfile.c (_tmpfile_r):
 Avoid window between filename generation and opening the fd. *
 libc/stdio64/tmpfile64.c (_tmpfile64_r): Likewise.

---
 newlib/libc/stdio/tmpfile.c | 22 +++++++++++++++++++---
 1 file changed, 19 insertions(+), 3 deletions(-)

(limited to 'newlib/libc/stdio')

diff --git a/newlib/libc/stdio/tmpfile.c b/newlib/libc/stdio/tmpfile.c
index a6c2c9136..902ef0b4d 100644
--- a/newlib/libc/stdio/tmpfile.c
+++ b/newlib/libc/stdio/tmpfile.c
@@ -49,6 +49,11 @@ Supporting OS subroutines required: <<close>>, <<fstat>>, <<getpid>>,
 #include <reent.h>
 #include <stdio.h>
 #include <errno.h>
+#include <fcntl.h>
+
+#ifndef O_BINARY
+# define O_BINARY 0
+#endif
 
 FILE *
 _DEFUN(_tmpfile_r, (ptr),
@@ -58,11 +63,22 @@ _DEFUN(_tmpfile_r, (ptr),
   int e;
   char *f;
   char buf[L_tmpnam];
-
-  if ((f = _tmpnam_r (ptr, buf)) == NULL)
+  int fd;
+
+  do
+    {
+      if ((f = _tmpnam_r (ptr, buf)) == NULL)
+	return NULL;
+      fd = _open_r (ptr, f, O_RDWR | O_CREAT | O_EXCL | O_BINARY,
+		    S_IRUSR | S_IWUSR);
+    }
+  while (fd < 0 && ptr->_errno == EEXIST);
+  if (fd < 0)
     return NULL;
-  fp = _fopen_r (ptr, f, "wb+");
+  fp = _fdopen_r (ptr, fd, "wb+");
   e = ptr->_errno;
+  if (!fp)
+    _close_r (ptr, fd);
   _CAST_VOID _remove_r (ptr, f);
   ptr->_errno = e;
   return fp;
-- 
cgit v1.2.3