From 446b4207cc7a30d8a4d5b2445a5a1b27d440f55d Mon Sep 17 00:00:00 2001
From: Rich Felker <dalias@aerifal.cx>
Date: Fri, 18 Feb 2011 17:04:56 -0500
Subject: major improvements to temp file name generator

use current time in nanoseconds and some potentially-random (if aslr
is enabled) pointer values for the initial tempfile name generation,
and step via a cheap linear prng on collisions. limit the number of
retry attempts to prevent denial of service attacks even if an
attacker can guess the filenames.
---
 src/temp/mkdtemp.c |  4 +++-
 src/temp/mkstemp.c |  5 +++--
 src/temp/mktemp.c  | 28 +++++++++++++++-------------
 3 files changed, 21 insertions(+), 16 deletions(-)

(limited to 'src/temp')

diff --git a/src/temp/mkdtemp.c b/src/temp/mkdtemp.c
index 162d98b0..f2ecc510 100644
--- a/src/temp/mkdtemp.c
+++ b/src/temp/mkdtemp.c
@@ -12,7 +12,8 @@ char *__mktemp(char *);
 
 char *mkdtemp(char *template)
 {
-	for (;;) {
+	int retries = 100;
+	while (retries--) {
 		if (!__mktemp(template)) return 0;
 		if (!mkdir(template, 0700)) return template;
 		if (errno != EEXIST) return 0;
@@ -20,4 +21,5 @@ char *mkdtemp(char *template)
 		 * that we have a valid template string */
 		strcpy(template+strlen(template)-6, "XXXXXX");
 	}
+	return 0;
 }
diff --git a/src/temp/mkstemp.c b/src/temp/mkstemp.c
index 34642569..2ab3020b 100644
--- a/src/temp/mkstemp.c
+++ b/src/temp/mkstemp.c
@@ -11,8 +11,8 @@ char *__mktemp(char *);
 
 int mkstemp(char *template)
 {
-	int fd;
-	for (;;) {
+	int fd, retries = 100;
+	while (retries--) {
 		if (!__mktemp(template)) return 0;
 		if ((fd = open(template, O_RDWR | O_CREAT | O_EXCL, 0600))>=0)
 			return fd;
@@ -21,6 +21,7 @@ int mkstemp(char *template)
 		 * that we have a valid template string */
 		strcpy(template+strlen(template)-6, "XXXXXX");
 	}
+	return -1;
 }
 
 LFS64(mkstemp);
diff --git a/src/temp/mktemp.c b/src/temp/mktemp.c
index 1078b9df..1462a16c 100644
--- a/src/temp/mktemp.c
+++ b/src/temp/mktemp.c
@@ -4,28 +4,30 @@
 #include <fcntl.h>
 #include <unistd.h>
 #include <errno.h>
+#include <time.h>
+#include <stdint.h>
 #include "libc.h"
 
 char *__mktemp(char *template)
 {
-	static int lock;
-	static int index;
-	int l = strlen(template);
+	struct timespec ts;
+	size_t l = strlen(template);
+	int retries = 10000;
+	unsigned long r;
 
 	if (l < 6 || strcmp(template+l-6, "XXXXXX")) {
 		errno = EINVAL;
-		return NULL;
+		return 0;
 	}
-	LOCK(&lock);
-	for (; index < 1000000; index++) {
-		snprintf(template+l-6, 6, "%06d", index);
-		if (access(template, F_OK) != 0) {
-			UNLOCK(&lock);
-			return template;
-		}
+	clock_gettime(CLOCK_REALTIME, &ts);
+	r = ts.tv_nsec + (uintptr_t)&ts / 16 + (uintptr_t)template;
+	while (retries--) {
+		snprintf(template+l-6, 7, "%06lX", r & 0xffffff);
+		if (access(template, F_OK) < 0) return template;
+		r = r * 1103515245 + 12345;
 	}
-	UNLOCK(&lock);
-	return NULL;	
+	errno = EEXIST;
+	return 0;
 }
 
 weak_alias(__mktemp, mktemp);
-- 
cgit v1.2.1