fs: Fix fs_open resource leak when invoked on fs_file_t object in use

de-nordic · nashif · commit d4666f537cc6 · 2021-01-29T08:04:51.000-05:00
Fixes problem when fs_open invoked on fs_file_t object, which is already holding information on opened file, overwrites references to other memory objects within the fs_file_t object causing resource leak. If fs_open is invoked on already used fs_file_t object, it will return -EBUSY. Note: The change requires that all fs_file_t objects should be initialized to 0. Fixes: #29478 Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
diff --git a/subsys/fs/fs.c b/subsys/fs/fs.c
@@ -143,25 +143,30 @@ int fs_open(struct fs_file_t *zfp, const char *file_name, fs_mode_t flags)
 		return -EINVAL;
 	}
 
+	if (zfp->mp != NULL) {
+		return -EBUSY;
+	}
+
 	rc = fs_get_mnt_point(&mp, file_name, NULL);
 	if (rc < 0) {
 		LOG_ERR("%s:mount point not found!!", __func__);
 		return rc;
 	}
 
-	zfp->mp = mp;
 	if (((mp->flags & FS_MOUNT_FLAG_READ_ONLY) != 0) &&
 	    (flags & FS_O_CREATE || flags & FS_O_WRITE)) {
 		return -EROFS;
 	}
 
-	CHECKIF(zfp->mp->fs->open == NULL) {
+	CHECKIF(mp->fs->open == NULL) {
 		return -ENOTSUP;
 	}
 
-	rc = zfp->mp->fs->open(zfp, file_name, flags);
+	zfp->mp = mp;
+	rc = mp->fs->open(zfp, file_name, flags);
 	if (rc < 0) {
 		LOG_ERR("file open error (%d)", rc);
+		zfp->mp = NULL;
 		return rc;
 	}
 
diff --git a/tests/subsys/fs/fs_api/src/test_fs_dir_file.c b/tests/subsys/fs/fs_api/src/test_fs_dir_file.c
@@ -436,6 +436,10 @@ void test_file_open(void)
 	ret = fs_open(&filep, TEST_FILE, FS_O_READ);
 	zassert_equal(ret, 0, "Fail to open file");
 
+	TC_PRINT("\nDouble-open\n");
+	ret = fs_open(&filep, TEST_FILE, FS_O_READ);
+	zassert_equal(ret, -EBUSY, "Expected -EBUSY, got %d", ret);
+
 	TC_PRINT("\nReopen the same file");
 	ret = fs_open(&filep, TEST_FILE, FS_O_READ);
 	zassert_not_equal(ret, 0, "Reopen an opend file");
@@ -827,6 +831,12 @@ void test_file_close(void)
 	ret = fs_close(&filep);
 	zassert_equal(ret, 0, "Fail to close file");
 
+	TC_PRINT("Reuse fs_file_t from closed file");
+	ret = fs_open(&filep, TEST_FILE, FS_O_READ);
+	zassert_equal(ret, 0, "Expected open to succeed, got %d", ret);
+	ret = fs_close(&filep);
+	zassert_equal(ret, 0, "Expected close to succeed, got %d", ret);
+
 	TC_PRINT("\nClose a closed file:\n");
 	filep.mp = &test_fs_mnt_1;
 	ret = fs_close(&filep);

Original file line number	Diff line number	Diff line change
`@@ -143,25 +143,30 @@ int fs_open(struct fs_file_t zfp, const char file_name, fs_mode_t flags)`
`143`	`143`	`return -EINVAL;`
`144`	`144`	`}`
`145`	`145`
	`146`	`+ if (zfp->mp != NULL) {`
	`147`	`+ return -EBUSY;`
	`148`	`+ }`
	`149`	`+`
`146`	`150`	`rc = fs_get_mnt_point(&mp, file_name, NULL);`
`147`	`151`	`if (rc < 0) {`
`148`	`152`	`LOG_ERR("%s:mount point not found!!", __func__);`
`149`	`153`	`return rc;`
`150`	`154`	`}`
`151`	`155`
`152`		`- zfp->mp = mp;`
`153`	`156`	`if (((mp->flags & FS_MOUNT_FLAG_READ_ONLY) != 0) &&`
`154`	`157`	`(flags & FS_O_CREATE \|\| flags & FS_O_WRITE)) {`
`155`	`158`	`return -EROFS;`
`156`	`159`	`}`
`157`	`160`
`158`		`- CHECKIF(zfp->mp->fs->open == NULL) {`
	`161`	`+ CHECKIF(mp->fs->open == NULL) {`
`159`	`162`	`return -ENOTSUP;`
`160`	`163`	`}`
`161`	`164`
`162`		`- rc = zfp->mp->fs->open(zfp, file_name, flags);`
	`165`	`+ zfp->mp = mp;`
	`166`	`+ rc = mp->fs->open(zfp, file_name, flags);`
`163`	`167`	`if (rc < 0) {`
`164`	`168`	`LOG_ERR("file open error (%d)", rc);`
	`169`	`+ zfp->mp = NULL;`
`165`	`170`	`return rc;`
`166`	`171`	`}`
`167`	`172`