[lxc-devel] [lxc/master] string_utils: fix global buffer overflow issue

[2xsec on Github]

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 1077 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20181018/d8e75a45/attachment.bin>
-------------- next part --------------
From 7cfde20f987262acaf5250bfd305691ebe303fd6 Mon Sep 17 00:00:00 2001
From: 2xsec <dh48.jeong at samsung.com>
Date: Thu, 18 Oct 2018 15:16:54 +0900
Subject: [PATCH] string_utils: fix global buffer overflow issue

Signed-off-by: 2xsec <dh48.jeong at samsung.com>
---
 src/lxc/string_utils.c | 41 +++++++++++++++++++++++++++++------------
 1 file changed, 29 insertions(+), 12 deletions(-)

diff --git a/src/lxc/string_utils.c b/src/lxc/string_utils.c
index fb46109b9..7bc99c428 100644
--- a/src/lxc/string_utils.c
+++ b/src/lxc/string_utils.c
@@ -784,24 +784,32 @@ char *must_make_path(const char *first, ...)
 	char *cur, *dest;
 	size_t full_len = strlen(first);
 	size_t buf_len;
+	size_t cur_len;
 
 	dest = must_copy_string(first);
+	cur_len = full_len;
 
 	va_start(args, first);
 	while ((cur = va_arg(args, char *)) != NULL) {
-		full_len += strlen(cur);
+		buf_len = strlen(cur);
+
+		full_len += buf_len;
 		if (cur[0] != '/')
 			full_len++;
 
-		buf_len = full_len + 1;
-		dest = must_realloc(dest, buf_len);
+		dest = must_realloc(dest, full_len + 1);
 
-		if (cur[0] != '/')
-			(void)strlcat(dest, "/", buf_len);
-		(void)strlcat(dest, cur, buf_len);
+		if (cur[0] != '/') {
+			memcpy(dest + cur_len, "/", 1);
+			cur_len++;
+		}
+
+		memcpy(dest + cur_len, cur, buf_len);
+		cur_len += buf_len;
 	}
 	va_end(args);
 
+	dest[cur_len] = '\0';
 	return dest;
 }
 
@@ -812,23 +820,32 @@ char *must_append_path(char *first, ...)
 	va_list args;
 	char *dest = first;
 	size_t buf_len;
+	size_t cur_len;
 
 	full_len = strlen(first);
+	cur_len = full_len;
+
 	va_start(args, first);
 	while ((cur = va_arg(args, char *)) != NULL) {
-		full_len += strlen(cur);
+		buf_len = strlen(cur);
+
+		full_len += buf_len;
 		if (cur[0] != '/')
 			full_len++;
 
-		buf_len = full_len + 1;
-		dest = must_realloc(dest, buf_len);
+		dest = must_realloc(dest, full_len + 1);
 
-		if (cur[0] != '/')
-			(void)strlcat(dest, "/", buf_len);
-		(void)strlcat(dest, cur, buf_len);
+		if (cur[0] != '/') {
+			memcpy(dest + cur_len, "/", 1);
+			cur_len++;
+		}
+
+		memcpy(dest + cur_len, cur, buf_len);
+		cur_len += buf_len;
 	}
 	va_end(args);
 
+	dest[cur_len] = '\0';
 	return dest;
 }