[lxc-devel] [lxc/master] verify cgroup controller name

Blub on Github lxc-bot at linuxcontainers.org
Mon Mar 30 14:14:38 UTC 2020


A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 485 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20200330/2a4bb720/attachment.bin>
-------------- next part --------------
From e6bc68d691796adb535b56d93d27bf2f85b4bcd3 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller at proxmox.com>
Date: Mon, 30 Mar 2020 16:01:07 +0200
Subject: [PATCH] verify cgroup controller name

validate that a cgroup controller name is a valid
zero-terminated string before passing it to
`cgroup_ops->get_cgroup()`.

Signed-off-by: Wolfgang Bumiller <w.bumiller at proxmox.com>
---
 src/lxc/commands.c | 37 +++++++++++++++++++++++++++++++++++--
 1 file changed, 35 insertions(+), 2 deletions(-)

diff --git a/src/lxc/commands.c b/src/lxc/commands.c
index 8b2d0e0b7a..991bca290e 100644
--- a/src/lxc/commands.c
+++ b/src/lxc/commands.c
@@ -325,6 +325,34 @@ int lxc_try_cmd(const char *name, const char *lxcpath)
 	return 0;
 }
 
+/*
+ * Validate that the input is a proper string parameter. If not,
+ * send an EINVAL response and return -1.
+ *
+ * Precondition: there is non-zero-length data available.
+ */
+static int validate_string_request(int fd, const struct lxc_cmd_req *req)
+{
+	int ret;
+	size_t maxlen = req->datalen - 1;
+	const char *data = req->data;
+
+	if (data[maxlen] == 0 && strnlen(data, maxlen) == maxlen)
+		return 0;
+
+	struct lxc_cmd_rsp rsp = {
+		.ret = -EINVAL,
+		.datalen = 0,
+		.data = NULL,
+	};
+
+	ret = lxc_cmd_rsp_send(fd, &rsp);
+	if (ret < 0)
+		return LXC_CMD_REAP_CLIENT_FD;
+
+	return -1;
+}
+
 /* Implementations of the commands and their callbacks */
 
 /*
@@ -506,10 +534,15 @@ static int lxc_cmd_get_cgroup_callback(int fd, struct lxc_cmd_req *req,
 	struct lxc_cmd_rsp rsp;
 	struct cgroup_ops *cgroup_ops = handler->cgroup_ops;
 
-	if (req->datalen > 0)
+	if (req->datalen > 0) {
+		ret = validate_string_request(fd, req);
+		if (ret != 0)
+			return ret;
+
 		path = cgroup_ops->get_cgroup(cgroup_ops, req->data);
-	else
+	} else {
 		path = cgroup_ops->get_cgroup(cgroup_ops, NULL);
+	}
 	if (!path)
 		return -1;
 


More information about the lxc-devel mailing list