[lxc-devel] [PATCH] Fix strlen on non-null terminated buffer strlen() becomes strnlen()

Mon Sep 7 19:50:10 UTC 2015

Quoting Christian Brauner (christianvanbrauner at gmail.com):
> Sorry, forget it, that doesn't make sense...
> 
> On Mon, Sep 07, 2015 at 08:38:51PM +0200, Christian Brauner wrote:
> > Signed-off-by: Christian Brauner <christianvanbrauner at gmail.com>
> > ---
> >  src/lxc/lxccontainer.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
> > index 932d658..ae9f895 100644
> > --- a/src/lxc/lxccontainer.c
> > +++ b/src/lxc/lxccontainer.c
> > @@ -2074,7 +2074,7 @@ static bool mod_rdep(struct lxc_container *c0, struct lxc_container *c, bool inc
> >  			 * a multiple of a pagesize. Hence, we'll use memmem(). */
> >  			if ((del = memmem(buf, fbuf.st_size, newpath, len))) {
> >  				/* remove container entry */
> > -				memmove(del, del + len, strlen(del) - len + 1);
> > +				memmove(del, del + len, strnlen(del, fbuf.st_size) - len + 1);

strnlen can still go off the end here.  I think you want something like:

				if (del != buf + fbuf.st_size - len) {
					size_t difflen = fbuf.st_size - (del-buf);
					memmove(del, del + len, strnlen(del, difflen) - len);
					del[len] = '\0';
				}

> >  
> >  				munmap(buf, fbuf.st_size);
> >  
> > -- 
> > 2.5.1
> > 