From 167dc249b0a55fdb973afbd797059a3880bb7aea Mon Sep 17 00:00:00 2001
From: Daniel Golle <daniel@makrotopia.org>
Date: Mon, 23 Aug 2021 18:34:32 +0100
Subject: [PATCH] jail: protect against strcat buffer overflows

Coverity CID: 1490012 Copy into fixed size buffer

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
---
 jail/jail.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/jail/jail.c b/jail/jail.c
index c02095b..1af0161 100644
--- a/jail/jail.c
+++ b/jail/jail.c
@@ -2186,21 +2186,24 @@ static int parseOCIlinux(struct blob_attr *msg)
 	if (tb[OCI_LINUX_CGROUPSPATH]) {
 		cgpath = blobmsg_get_string(tb[OCI_LINUX_CGROUPSPATH]);
 		if (cgpath[0] == '/') {
-			if (strlen(cgpath) >= (sizeof(cgfullpath) - strlen(cgfullpath)))
+			if (strlen(cgpath) + 1 >= (sizeof(cgfullpath) - strlen(cgfullpath)))
 				return E2BIG;
 
 			strcat(cgfullpath, cgpath);
 		} else {
 			strcat(cgfullpath, "/containers/");
-			strcat(cgfullpath, opts.name); /* should be container name rather than jail name */
-			strcat(cgfullpath, "/");
-			if (strlen(cgpath) >= (sizeof(cgfullpath) - strlen(cgfullpath)))
+			if (strlen(opts.name) + strlen(cgpath) + 2 >= (sizeof(cgfullpath) - strlen(cgfullpath)))
 				return E2BIG;
 
+			strcat(cgfullpath, opts.name); /* should be container name rather than jail name */
+			strcat(cgfullpath, "/");
 			strcat(cgfullpath, cgpath);
 		}
 	} else {
 		strcat(cgfullpath, "/containers/");
+		if (2 * strlen(opts.name) + 2 >= (sizeof(cgfullpath) - strlen(cgfullpath)))
+			return E2BIG;
+
 		strcat(cgfullpath, opts.name); /* should be container name rather than jail name */
 		strcat(cgfullpath, "/");
 		strcat(cgfullpath, opts.name); /* should be container instance name rather than jail name */
-- 
2.30.2