cache_lock: do xstrdup/free on lockfile

Since fmt() uses 8 alternating static buffers, and cache_lock might call
cache_create_dirs() multiple times, which in turn might call fmt() twice,
after four iterations lockfile would be overwritten by a cachedirectory
path.

In worst case, this could cause the cachedirectory to be unlinked and replaced
by a cachefile.

Fix: use xstrdup() on the result from fmt() before assigning to lockfile, and
call free(lockfile) before exit.

Signed-off-by: Lars Hjemli <hjemli@gmail.com>

1 files changed, 2 insertions, 1 deletions

diff --git a/cache.c b/cache.c
index b947a34..39e63a5 100644
--- a/cache.c
+++ b/cache.c
@@ -71,13 +71,13 @@ int cache_refill_overdue(const char *lockfile)
                 return (time(NULL) - st.st_mtime > cgit_cache_max_create_time);
 }
 
 int cache_lock(struct cacheitem *item)
 {
         int i = 0;
-        char *lockfile = fmt("%s.lock", item->name);
+        char *lockfile = xstrdup(fmt("%s.lock", item->name));
 
  top:
         if (++i > cgit_max_lock_attempts)
                 die("cache_lock: unable to lock %s: %s",
                     item->name, strerror(errno));
 
@@ -87,12 +87,13 @@ int cache_lock(struct cacheitem *item)
                 goto top;
 
         if (item->fd == NOLOCK && errno == EEXIST &&
             cache_refill_overdue(lockfile) && !unlink(lockfile))
                         goto top;
 
+        free(lockfile);
         return (item->fd > 0);
 }
 
 int cache_unlock(struct cacheitem *item)
 {
         close(item->fd);