[lxc-devel] [lxc/stable-2.1] fix: gcc8.3.0 and memset overflow

fingera on Github lxc-bot at linuxcontainers.org
Thu Dec 17 14:11:26 UTC 2020 

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 301 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20201217/696cad7a/attachment.bin>
-------------- next part --------------
From 94e56bd5b79e48b793041ebcac3f2b527050151c Mon Sep 17 00:00:00 2001
From: liuyujun <liuyujun at fingera.cn>
Date: Thu, 17 Dec 2020 22:08:43 +0800
Subject: [PATCH] fix: gcc8.3.0 and memset overflow

---
 src/lxc/af_unix.c       | 4 ++--
 src/lxc/confile_utils.c | 2 +-
 src/lxc/lxccontainer.c  | 3 +--
 src/lxc/network.c       | 4 ++--
 src/lxc/utils.c         | 7 +++++--
 5 files changed, 11 insertions(+), 9 deletions(-)

diff --git a/src/lxc/af_unix.c b/src/lxc/af_unix.c
index 9fba0ee15c..8146ebd4a9 100644
--- a/src/lxc/af_unix.c
+++ b/src/lxc/af_unix.c
@@ -62,7 +62,7 @@ int lxc_abstract_unix_open(const char *path, int type, int flags)
 		return -1;
 	}
 	/* addr.sun_path[0] has already been set to 0 by memset() */
-	strncpy(&addr.sun_path[1], &path[1], len);
+	memcpy(&addr.sun_path[1], &path[1], len);
 
 	ret = bind(fd, (struct sockaddr *)&addr,
 		   offsetof(struct sockaddr_un, sun_path) + len + 1);
@@ -115,7 +115,7 @@ int lxc_abstract_unix_connect(const char *path)
 		return -1;
 	}
 	/* addr.sun_path[0] has already been set to 0 by memset() */
-	strncpy(&addr.sun_path[1], &path[1], strlen(&path[1]));
+	memcpy(&addr.sun_path[1], &path[1], len);
 
 	ret = connect(fd, (struct sockaddr *)&addr,
 		      offsetof(struct sockaddr_un, sun_path) + len + 1);
diff --git a/src/lxc/confile_utils.c b/src/lxc/confile_utils.c
index 612f53f1e7..dde5a78342 100644
--- a/src/lxc/confile_utils.c
+++ b/src/lxc/confile_utils.c
@@ -616,7 +616,7 @@ int lxc_get_conf_str(char *retv, int inlen, const char *value)
 	if (!value)
 		return 0;
 	if (retv && inlen >= strlen(value) + 1)
-		strncpy(retv, value, strlen(value) + 1);
+		strncpy(retv, value, inlen);
 
 	return strlen(value);
 }
diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
index 745941cdd2..d87e0a3d84 100644
--- a/src/lxc/lxccontainer.c
+++ b/src/lxc/lxccontainer.c
@@ -673,8 +673,7 @@ static char **split_init_cmd(const char *incmd)
 
 	len = strlen(incmd) + 1;
 	copy = alloca(len);
-	strncpy(copy, incmd, len);
-	copy[len-1] = '\0';
+	memcpy(copy, incmd, len);
 
 	do {
 		argv = malloc(sizeof(char *));
diff --git a/src/lxc/network.c b/src/lxc/network.c
index 240d09337a..b3608ed785 100644
--- a/src/lxc/network.c
+++ b/src/lxc/network.c
@@ -2151,8 +2151,8 @@ static int lxc_create_network_unpriv_exec(const char *lxcpath, const char *lxcna
 		return -1;
 	}
 
-	memset(netdev->name, 0, IFNAMSIZ + 1);
-	strncpy(netdev->name, token, IFNAMSIZ);
+	memset(netdev->name, 0, IFNAMSIZ);
+	strncpy(netdev->name, token, IFNAMSIZ - 1);
 
 	/* netdev->ifindex */
 	token = strtok_r(NULL, ":", &saveptr);
diff --git a/src/lxc/utils.c b/src/lxc/utils.c
index df4439549a..8139987c54 100644
--- a/src/lxc/utils.c
+++ b/src/lxc/utils.c
@@ -2340,13 +2340,16 @@ int parse_byte_size_string(const char *s, int64_t *converted)
 	char *end;
 	char dup[LXC_NUMSTRLEN64 + 2];
 	char suffix[3];
+	size_t s_len;
 
 	if (!s || !strcmp(s, ""))
 		return -EINVAL;
 
-	end = stpncpy(dup, s, sizeof(dup));
-	if (*end != '\0')
+	s_len = strlen(s);
+	if (s_len >= sizeof(dup))
 		return -EINVAL;
+	memcpy(dup, s, s_len + 1);
+	end = dup + s_len;
 
 	if (isdigit(*(end - 1)))
 		suffix_len = 0;

More information about the lxc-devel mailing list