[lxc-devel] [lxc/master] fix possible buffer overflow

[n-eiling on Github]

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 580 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20160330/07928c78/attachment.bin>
-------------- next part --------------
From a17fa3c081a2a2e2ec692ed8decaf54470d05dce Mon Sep 17 00:00:00 2001
From: Niklas Eiling <niklas.eiling at rwth-aachen.de>
Date: Wed, 30 Mar 2016 20:10:21 +0200
Subject: [PATCH] fix possible buffer overflow strncat only returns its first
 argument and not the end of the written string. Thus "buf-pos" is always 0
 and consquently no range check is performed.

Signed-off-by: Niklas Eiling <niklas.eiling at rwth-aachen.de>
---
 src/lxc/criu.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/src/lxc/criu.c b/src/lxc/criu.c
index 75ae4e2..aa874c7 100644
--- a/src/lxc/criu.c
+++ b/src/lxc/criu.c
@@ -126,8 +126,8 @@ static void exec_criu(struct criu_opts *opts)
 	int netnr = 0;
 	struct lxc_list *it;
 
-	char buf[4096], *pos, tty_info[32];
-
+	char buf[4096], tty_info[32];
+	size_t pos;
 	/* If we are currently in a cgroup /foo/bar, and the container is in a
 	 * cgroup /lxc/foo, lxcfs will give us an ENOENT if some task in the
 	 * container has an open fd that points to one of the cgroup files
@@ -363,10 +363,11 @@ static void exec_criu(struct criu_opts *opts)
 	argv[argc] = NULL;
 
 	buf[0] = 0;
-	pos = buf;
+	pos = 0;
 	for (i = 0; argv[i]; i++) {
-		pos = strncat(buf, argv[i], buf + sizeof(buf) - pos);
-		pos = strncat(buf, " ", buf + sizeof(buf) - pos);
+		strncat(buf, argv[i], sizeof(buf) - pos - 1);
+		strncat(buf, " ", sizeof(buf) - pos - 1);
+		pos += strlen(argv[i]);
 	}
 
 	INFO("execing: %s", buf);