From: Daniel Golle Date: Mon, 23 Aug 2021 17:34:32 +0000 (+0100) Subject: jail: protect against strcat buffer overflows X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=167dc249b0a55fdb973afbd797059a3880bb7aea;p=project%2Fprocd.git jail: protect against strcat buffer overflows Coverity CID: 1490012 Copy into fixed size buffer Signed-off-by: Daniel Golle --- diff --git a/jail/jail.c b/jail/jail.c index c02095b..1af0161 100644 --- a/jail/jail.c +++ b/jail/jail.c @@ -2186,21 +2186,24 @@ static int parseOCIlinux(struct blob_attr *msg) if (tb[OCI_LINUX_CGROUPSPATH]) { cgpath = blobmsg_get_string(tb[OCI_LINUX_CGROUPSPATH]); if (cgpath[0] == '/') { - if (strlen(cgpath) >= (sizeof(cgfullpath) - strlen(cgfullpath))) + if (strlen(cgpath) + 1 >= (sizeof(cgfullpath) - strlen(cgfullpath))) return E2BIG; strcat(cgfullpath, cgpath); } else { strcat(cgfullpath, "/containers/"); - strcat(cgfullpath, opts.name); /* should be container name rather than jail name */ - strcat(cgfullpath, "/"); - if (strlen(cgpath) >= (sizeof(cgfullpath) - strlen(cgfullpath))) + if (strlen(opts.name) + strlen(cgpath) + 2 >= (sizeof(cgfullpath) - strlen(cgfullpath))) return E2BIG; + strcat(cgfullpath, opts.name); /* should be container name rather than jail name */ + strcat(cgfullpath, "/"); strcat(cgfullpath, cgpath); } } else { strcat(cgfullpath, "/containers/"); + if (2 * strlen(opts.name) + 2 >= (sizeof(cgfullpath) - strlen(cgfullpath))) + return E2BIG; + strcat(cgfullpath, opts.name); /* should be container name rather than jail name */ strcat(cgfullpath, "/"); strcat(cgfullpath, opts.name); /* should be container instance name rather than jail name */