[LTP] [PATCH v4] tst_tmpdir: Fix buffer overflow in tst_tmpdir.c
Wei Gao
wegao@suse.com
Thu Feb 26 02:34:05 CET 2026
On Wed, Feb 25, 2026 at 11:58:53AM +0100, Cyril Hrubis wrote:
> Hi!
> > @@ -183,8 +186,7 @@ static int purge_dir(const char *path, char **errptr)
> > continue;
> >
> > /* Recursively remove the current entry */
> > - sprintf(dirobj, "%s/%s", path, dir_ent->d_name);
> > - if (rmobj(dirobj, errptr) != 0)
> > + if (rmobjat(subdir_fd, dir_ent->d_name, errptr) != 0)
> > ret_val = -1;
> > }
>
> Shouldn't we close(subdir_fd) here as well?
I guess you mean following change? Then i think adding close(subdir_fd) inside loop will actually cause a double-close,
since after for loop there is another closedir(dir) will be called. closedir will also try closes underlying file descriptor.
Correct me if any mistake, thanks.
diff --git a/lib/tst_tmpdir.c b/lib/tst_tmpdir.c
index 9b024a74e..0c06a306c 100644
--- a/lib/tst_tmpdir.c
+++ b/lib/tst_tmpdir.c
@@ -186,8 +186,10 @@ static int purge_dirat(int dir_fd, const char *path, char **errptr)
continue;
/* Recursively remove the current entry */
- if (rmobjat(subdir_fd, dir_ent->d_name, errptr) != 0)
+ if (rmobjat(subdir_fd, dir_ent->d_name, errptr) != 0) {
+ close(subdir_fd); <<<<<<<<<< first close
ret_val = -1;
+ }
}
closedir(dir); <<<<<<<<<<<<< second close
return ret_val;
>
> > @@ -192,63 +194,53 @@ static int purge_dir(const char *path, char **errptr)
> > return ret_val;
> > }
> >
>
> The rest seems to be fine.
>
> --
> Cyril Hrubis
> chrubis@suse.cz
More information about the ltp
mailing list