[lxc-devel] [lxc/master] log: sanity check the returned value from snprintf()

jiazhang0 on Github lxc-bot at linuxcontainers.org
Tue Oct 11 01:35:27 UTC 2016


A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 680 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20161011/05b402f1/attachment.bin>
-------------- next part --------------
From f6c796102abe950821377a11f7ddd05199418365 Mon Sep 17 00:00:00 2001
From: Lans Zhang <jia.zhang at windriver.com>
Date: Mon, 10 Oct 2016 21:49:55 +0800
Subject: [PATCH] log: sanity check the returned value from snprintf()

The returned value from snprintf() should be checked carefully.

This bug can be leveraged to execute arbitrary code through carefully
constructing the payload, e.g,

lxc-freeze -n `python -c "print 'AAAAAAAA' + 'B'*959"` -P PADPAD -o /tmp/log

This command running on Ubuntu 14.04 (x86-64) can cause a segment fault.

Signed-off-by: Lans Zhang <jia.zhang at windriver.com>
---
 src/lxc/log.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/lxc/log.c b/src/lxc/log.c
index cab77f2..6775822 100644
--- a/src/lxc/log.c
+++ b/src/lxc/log.c
@@ -170,10 +170,13 @@ static int log_append_logfile(const struct lxc_log_appender *appender,
 		     event->locinfo->file, event->locinfo->func,
 		     event->locinfo->line);
 
-	n += vsnprintf(buffer + n, sizeof(buffer) - n, event->fmt,
-		       *event->vap);
+	if (n < 0)
+		return n;
 
-	if (n >= sizeof(buffer) - 1) {
+	if (n < sizeof(buffer) - 1)
+		n += vsnprintf(buffer + n, sizeof(buffer) - n, event->fmt,
+			       *event->vap);
+	else {
 		WARN("truncated next event from %d to %zd bytes", n,
 		     sizeof(buffer));
 		n = sizeof(buffer) - 1;


More information about the lxc-devel mailing list