[lxc-devel] [lxc/master] conf: realpath() uses null as second parameter to prevent buffer overflow
2xsec on Github
lxc-bot at linuxcontainers.org
Fri Sep 21 02:15:50 UTC 2018
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 526 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20180921/7f7c1a76/attachment.bin>
-------------- next part --------------
From 74e7b6621905110e46a4bbc6b5b898328363fced Mon Sep 17 00:00:00 2001
From: 2xsec <dh48.jeong at samsung.com>
Date: Fri, 21 Sep 2018 11:09:54 +0900
Subject: [PATCH] conf: realpath() uses null as second parameter to prevent
buffer overflow
Signed-off-by: 2xsec <dh48.jeong at samsung.com>
---
src/lxc/conf.c | 27 ++++++++++++++++++++-------
1 file changed, 20 insertions(+), 7 deletions(-)
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 488f3dd42..371256ef2 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -553,24 +553,31 @@ int run_script(const char *name, const char *section, const char *script, ...)
int pin_rootfs(const char *rootfs)
{
int fd, ret;
- char absrootfs[MAXPATHLEN], absrootfspin[MAXPATHLEN];
+ char absrootfspin[MAXPATHLEN];
+ char *absrootfs;
struct stat s;
struct statfs sfs;
if (rootfs == NULL || strlen(rootfs) == 0)
return -2;
- if (!realpath(rootfs, absrootfs))
+ absrootfs = realpath(rootfs, NULL);
+ if (!absrootfs)
return -2;
ret = stat(absrootfs, &s);
- if (ret < 0)
+ if (ret < 0) {
+ free(absrootfs);
return -1;
+ }
- if (!S_ISDIR(s.st_mode))
+ if (!S_ISDIR(s.st_mode)) {
+ free(absrootfs);
return -2;
+ }
ret = snprintf(absrootfspin, MAXPATHLEN, "%s/.lxc-keep", absrootfs);
+ free(absrootfs);
if (ret >= MAXPATHLEN)
return -1;
@@ -1368,18 +1375,22 @@ int lxc_chroot(const struct lxc_rootfs *rootfs)
{
int i, ret;
char *p, *p2;
- char buf[LXC_LINELEN], nroot[PATH_MAX];
+ char buf[LXC_LINELEN];
+ char *nroot;
FILE *f;
char *root = rootfs->mount;
- if (!realpath(root, nroot)) {
+ nroot = realpath(root, NULL);
+ if (!nroot) {
SYSERROR("Failed to resolve \"%s\"", root);
return -1;
}
ret = chdir("/");
- if (ret < 0)
+ if (ret < 0) {
+ free(nroot);
return -1;
+ }
/* We could use here MS_MOVE, but in userns this mount is locked and
* can't be moved.
@@ -1387,8 +1398,10 @@ int lxc_chroot(const struct lxc_rootfs *rootfs)
ret = mount(nroot, "/", NULL, MS_REC | MS_BIND, NULL);
if (ret < 0) {
SYSERROR("Failed to mount \"%s\" onto \"/\" as MS_REC | MS_BIND", nroot);
+ free(nroot);
return -1;
}
+ free(nroot);
ret = mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL);
if (ret < 0) {
More information about the lxc-devel
mailing list