commit 16d6ab6640b4404d47096cbf1d25e1b57b0b26bb Author: Nick Mathewson nickm@torproject.org Date: Wed Apr 26 08:43:38 2017 -0400
Fix use-after-free bug in storage_dir sandbox code. --- src/common/storagedir.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/src/common/storagedir.c b/src/common/storagedir.c index 7e0be67..9d3c32e 100644 --- a/src/common/storagedir.c +++ b/src/common/storagedir.c @@ -89,11 +89,12 @@ storage_dir_register_with_sandbox(storage_dir_t *d, sandbox_cfg_t **cfg) tor_asprintf(&path, "%s/%d", d->directory, idx); tor_asprintf(&tmppath, "%s/%d.tmp", d->directory, idx);
- problems += sandbox_cfg_allow_open_filename(cfg, path); - problems += sandbox_cfg_allow_open_filename(cfg, tmppath); - problems += sandbox_cfg_allow_stat_filename(cfg, path); - problems += sandbox_cfg_allow_stat_filename(cfg, tmppath); - problems += sandbox_cfg_allow_rename(cfg, tmppath, path); + problems += sandbox_cfg_allow_open_filename(cfg, tor_strdup(path)); + problems += sandbox_cfg_allow_open_filename(cfg, tor_strdup(tmppath)); + problems += sandbox_cfg_allow_stat_filename(cfg, tor_strdup(path)); + problems += sandbox_cfg_allow_stat_filename(cfg, tor_strdup(tmppath)); + problems += sandbox_cfg_allow_rename(cfg, + tor_strdup(tmppath), tor_strdup(path));
tor_free(path); tor_free(tmppath);